10 Ways to Protect Your Passwords from Hackers
Hackers steal passwords through breaches, phishing, and brute force — not by “hacking” individual accounts. These 10 methods address all three attack vectors with steps you can implement today, starting with the ones that matter most.
1. Use Passphrases, Not Complex Passwords
The standard advice — add numbers and symbols to a word — is wrong. A complex short password is weaker than a long simple one.
# Hashcat GPU cracking estimates (2026 hardware):
“P@ssw0rd!” — 8 chars complex: cracked in < 1 hour
”Tr0ub4dor&3” — 11 chars complex: cracked in 3 days
”correct horse battery staple” — 4 words: 550 years
”purple sunday morning coffee” — 4 words: 900 years
# Length beats complexity every time
# Use 4+ random unrelated words for any password you type manually
Pick four unrelated words at random and use them as your passphrase. “Carpet Mountain Dolphin Tuesday” is a stronger password than any 12-character string of symbols and numbers — and you’ll actually remember it.
2. Enable Two-Factor Authentication Everywhere
2FA means an attacker who steals your password still can’t log in without your second factor. Microsoft reports that 2FA blocks 99.9% of automated account takeover attempts.
Enable 2FA on your email account before anything else. Your email is the master key to your entire digital life — if an attacker owns your email, they own the password reset for every other account. Email with 2FA is vastly more important than any other account you have.
Use an authenticator app (Google Authenticator, Authy) over SMS when possible. SMS 2FA can be bypassed through SIM swapping attacks.
3. Use a Password Manager
A password manager generates and stores unique passwords for every account. You remember one master password; the manager handles the rest.
| Manager | Price | Open Source | Best For |
|---|---|---|---|
| Bitwarden | Free (paid from $10/yr) | Yes | Best free option overall |
| 1Password | $36/year | No | Family and team sharing |
| Dashlane | $33/year | No | Built-in VPN included |
| KeePassXC | Free | Yes | Offline-only, maximum control |
| iCloud Keychain | Free (Apple only) | No | Apple ecosystem users |
Bitwarden is free, open-source, and independently audited. There is genuinely no downside to using it. If you’re using the same password on multiple sites right now, installing Bitwarden and changing your key accounts over one evening is the most impactful security action you can take.
4. Use a Unique Password for Every Account
Password reuse is what turns a single breach into a catastrophe. When LinkedIn was breached in 2012 (117 million passwords), those credentials were used to break into completely unrelated accounts — Netflix, Dropbox, and others — years later.
What credential stuffing looks like:
- Attacker buys 100M username/password pairs
- Runs automated tool against 50 popular sites
- Login succeeds on accounts using the same password
- Attacker accesses bank, email, shopping accounts instantly
Why unique passwords stop this:
- Even if Site A is breached, Site B credentials are different
- Attacker gains nothing reusable from one breach
- Password manager makes unique passwords effortless
- One breach = limited to one account
5. Monitor Your Accounts for Breaches
Your password may have been exposed in a breach years ago. Check and act on this information.
Check haveibeenpwned.com
Enter your email addresses. The site checks against 12+ billion compromised accounts. If found, change that password immediately.
Enable breach notifications
Sign up for free email alerts on HIBP. You'll be notified within days of any new breach that includes your email.
Enable Google Password Checkup
In Chrome or Android: Settings → Passwords → Check passwords. Google compares your saved passwords against known breaches.
Use Apple's Security Recommendations
iPhone: Settings → Passwords → Security Recommendations. Shows all your saved passwords that have appeared in known breaches.
6. Protect Yourself from Phishing
Phishing steals more passwords than all hacking techniques combined. The attacker creates a fake login page that looks identical to the real one — you type your credentials directly into their server.
The URL is the only reliable indicator of a phishing page. Check the domain before entering any credentials: the correct URL for Google is accounts.google.com — not accounts-google.com, accounts.google.secure-login.com, or any other variation. Attackers register nearly identical domains specifically for this.
The best defense against phishing is a hardware security key or passkey. When you use a passkey, the authentication is cryptographically tied to the specific domain — a phishing site on a different domain simply cannot authenticate you, even if the page looks identical.
7. Delete Accounts You No Longer Use
Old accounts accumulate over time and represent security risks you’ve forgotten about. Every account you don’t monitor is a potential breach notification you’ll never receive.
Find old accounts
Search your email for 'welcome', 'verify', 'confirm your account', and similar terms. This reveals accounts you created years ago.
List what you find
Make a list of accounts sorted by whether you still use them. Aim to close anything unused in the past 12 months.
Delete accounts, not just apps
Uninstalling an app doesn't delete your account. Visit the service's website and use their account deletion process.
Use JustDeleteMe.com for help
JustDeleteMe.com rates how easy it is to delete accounts and links directly to the deletion pages for hundreds of services.
8. Never Share Passwords
9. Use Biometrics Where Available
Fingerprint and face recognition bypass password entry for device unlock — eliminating shoulder-surfing and the risk of someone seeing you type your PIN.
Biometrics on modern phones are stored in secure hardware enclaves (Apple Secure Enclave, Android Titan M chip) and never transmitted anywhere. Facial recognition data cannot be extracted from the device.
10. Keep Software and Passwords Updated
| Action | Frequency | Impact |
|---|---|---|
| Check HIBP for breaches | Monthly | Catches breach exposure early |
| Update passwords on critical accounts | Every 6 months | Limits exposure window |
| Review app permissions | Quarterly | Removes unnecessary data access |
| Update OS and apps | Weekly (auto) | Closes security vulnerabilities |
| Audit password manager | Annually | Find and update weak/reused passwords |
Do you currently use a password manager?
Click to vote — results are anonymous
These 10 steps compound. Using a password manager makes unique passwords effortless. 2FA makes stolen passwords useless. Breach monitoring catches problems early. None of these steps takes more than an hour to implement, and together they eliminate the vast majority of real-world password attack vectors.
What's the strongest type of 2FA?
Is it safe to let my browser save passwords?
How do I safely share a password with someone I trust?
What happens if my password manager gets hacked?
Should I change passwords regularly even if not breached?
Security recommendations evolve. Verify current guidance against NIST SP 800-63B and CISA’s security publications for the most up-to-date standards.
Privacy advocate and tech journalist. Makes complex security topics simple for everyday users.
