3 Simple Habits for Password Security: A Guide to Safer Online Practices

The Password Problem Nobody Wants to Talk About

Here is a fact that still keeps me up at night: the most common password in the world is still "123456." In 2025. Despite everything we know about data breaches, identity theft, and ransomware, millions of people are still using passwords that a five-year-old could guess.

I am Bruce Johnson, and I have spent over seven years in cybersecurity working with companies like Dell, CyberArk, and Delinea. I have seen the damage that weak passwords cause — from individual bank accounts getting drained to entire companies getting locked out of their own systems. The good news is that you do not need to be a tech expert to fix this. You just need three simple habits.

Habit 1: Use a Password Manager

I know what you are thinking. "I can remember my passwords just fine." And you probably can — because you are using the same password everywhere. That is the problem.

A password manager is an app that stores all of your passwords in one secure vault. You only need to remember one master password to unlock it. The manager handles everything else — generating strong passwords, filling them in when you log in, and syncing across your devices.

Think of it like a safe deposit box at the bank. Instead of keeping your valuables scattered around the house where anyone might find them, you put them in one secure location with a single key.

Popular options include 1Password, Bitwarden, and Dashlane. Many of them have free tiers, and the paid versions are usually less than five dollars a month. That is a tiny price to pay for peace of mind.

Here is a real-world example of why this matters. In 2022, a breach at a major telecom company exposed customer data. Investigators found that many of the compromised accounts used passwords that had already been leaked in previous breaches. The users were reusing the same password across multiple sites. A password manager would have prevented that entirely because every account would have had a unique password.

Habit 2: Use a Unique Password for Every Account

This is the most important habit on this list, and it is the one people resist the most. I get it — creating a different password for every account sounds exhausting. But with a password manager doing the work for you, it is actually effortless.

Why does this matter? Because breaches happen all the time. When one service gets hacked and your password leaks, attackers do not just try it on that one site. They use automated tools to test your email and password combination on hundreds of other sites — your bank, your email, your social media, your work accounts. This is called credential stuffing, and it is one of the most common attack methods out there.

If every account has a unique password, a breach at one site stays contained to that one site. Your bank account does not get compromised just because a food delivery app got hacked.

I have talked to people who had their email compromised, which led to their bank account being accessed, which led to fraudulent wire transfers — all because they used the same password for everything. It is a domino effect, and a unique password for each account is how you stop the dominoes from falling.

Habit 3: Make Your Passwords Long, Not Complex

For years, we were told to make passwords "complex" — throw in an uppercase letter, a number, a special character, and you are good. That advice created passwords like "P@ssw0rd1!" which looks complicated but is actually one of the first things an attacker will try.

The better approach is to make your passwords long. A password like "correct-horse-battery-staple" is significantly harder to crack than "Br0k3n!7" even though the first one uses only lowercase letters and dashes. Length beats complexity every time because each additional character exponentially increases the number of possible combinations an attacker has to try.

Here is how I explain it in my talks: imagine a combination lock. A lock with four digits has 10,000 possible combinations. A lock with eight digits has 100 million. Now imagine that instead of digits, you are using letters, numbers, and symbols. The math gets very favorable very quickly when you add length.

If you are using a password manager, you do not even need to worry about remembering these long passwords. Let the manager generate a 20-character random string for each account. You will never need to type it manually.

What About the Passwords You Already Have?

You do not need to change every password today. Start with the ones that matter most — your email, your bank, and any work accounts. Those are the high-value targets. Set up your password manager, generate new unique passwords for those accounts, and then work through the rest over time.

Most password managers will even audit your existing passwords and tell you which ones are weak, reused, or have appeared in known breaches. That gives you a clear checklist to work through.

A Quick Word About Writing Passwords Down

I know some security experts will disagree with me here, but I would rather someone write a unique password on a piece of paper locked in a desk drawer than reuse the same password across fifty accounts. Physical security is something most people are already good at. Digital security is where the gaps are. If writing it down gets you to use unique passwords, that is a net win.

That said, a password manager is still the better option. It is more secure, more convenient, and it scales as you create new accounts.

The Bottom Line

Password security does not have to be complicated. Use a password manager. Make every password unique. Make them long. Those three habits will put you ahead of the vast majority of people and make you a significantly harder target for attackers.

If your organization needs help building better security habits, I run workshops and training sessions throughout the San Francisco Bay Area that break this stuff down in plain English. No jargon, no scare tactics — just practical advice your team can actually use.