Password security best practices

Q: Should I change my passwords regularly?

No. Modern guidance rotates only when a breach is known.

Q: Are browser password managers safe?

Yes for most threats. Chrome and Firefox vaults are encrypted.

Q: What if my password manager gets breached?

Reputable managers use zero-knowledge encryption, so a server breach only leaks encrypted vaults.

1What makes a password strong?

A strong password is one that resists both human guessing (your cat's name, your birth year) and automated cracking (dictionaries, leaked-password databases, brute-force on GPUs). Length beats complexity: a 16-character random passphrase is stronger than P@ssw0rd1!, and easier to type. The golden rule: every account gets its own unique password — credential stuffing attacks only work when you reuse.

16+

Characters minimum in 2026

Password reuse — ever

Password manager to rule them all

2Passphrases vs random strings

Two approaches, both valid:

Random string

Generated by your password manager. Max entropy, unmemorable — and that's fine, the manager remembers.

x7!Kq$2mZ@pL9#vN

Diceware passphrase

Four to six random words. Easier to type for the few passwords you must remember (vault master, disk encryption).

correct-horse-battery-staple

Understand password hashing on mlab.sh

Curious how servers store your password? Generate hashes on mlab.sh and see why salting and slow algorithms matter.

Open hash generator

3Password managers: why you need one

A password manager is an encrypted vault that generates, stores and auto-fills unique passwords for every site. You remember one master passphrase; it remembers the rest. Built-in managers (Apple Keychain, Google, Firefox) are free and fine for most people. Standalone options (Bitwarden, 1Password, KeePassXC) add cross-platform sync, secure sharing and breach alerts.

Auto-fill only on exact domains

A manager will not auto-fill paypaI.com (with a capital i) — that alone catches most phishing.

Breach monitoring

Most managers check Have I Been Pwned for you and flag compromised passwords.

Never store the master in the browser

The master passphrase is the one thing you memorise. Write it on paper in a safe, nowhere digital.

Password FAQ

Should I change my passwords regularly?

No — modern guidance (NIST) says rotate only when a breach is known. Forced rotation leads to weaker passwords.

Are browser password managers safe?

Yes, for most threats. A dedicated manager adds cross-device sync and better sharing, but Chrome/Firefox vaults are encrypted and fine.

What if my password manager gets breached?

Reputable managers use zero-knowledge encryption: even a breach of their servers only leaks encrypted vaults, protected by your master passphrase.

Related Modules

What is 2FA / MFA?

Two-factor authentication (2FA) and multi-factor authentication (MFA): why a password alone is not enough.

What is social engineering?

Social engineering attacks: how scammers hack humans instead of systems, and what to watch for.

Public Wi-Fi safety

Airports, hotels, cafés: what the risks really are on public Wi-Fi and how to stay safe.