The single biggest thing most people can do to improve their security is use strong, unique passwords for every account. It sounds like a lot, but with the right approach it's very manageable.
What Makes a Password Strong?
Modern guidance (from the US NIST, UK NCSC, and Canadian CRA) has shifted away from complex "P@ssw0rd!" style passwords. What actually matters is:
- Length: Longer is stronger. Aim for at least 12 characters, ideally 16+.
- Uniqueness: Every account should have a different password. If one site is breached, all your other accounts stay safe.
- Unpredictability: Avoid personal information — names, birthdays, favourite teams — that someone could guess.
A Simple Method: Passphrase
Pick four or five random words and join them: correct-horse-battery-staple is the famous example. It's long, memorable, and vastly harder to crack than "P@ssword1". Add a number and a symbol if the site requires it.
Why You Need a Password Manager
Nobody can remember a unique 16-character password for every site they use. A password manager does it for you — it stores all your passwords securely behind one master password, and can generate strong random passwords automatically.
Free options that work well
- Bitwarden — free, open-source, works on Windows, Mac, iOS, and Android. Highly recommended.
- KeePass — free and open-source, stores everything locally on your computer.
- Browser built-in managers — Chrome, Edge, Firefox, and Safari all have built-in password managers that sync across your devices. They're not as feature-rich but are far better than reusing passwords.
Getting Started with Your Browser's Password Manager
- In Chrome or Edge, go to the three-dot menu > Passwords (or Settings > Autofill > Password Manager).
- Turn on Offer to save passwords.
- Next time you log in somewhere, let the browser save it.
- For existing accounts with weak passwords, the manager will prompt you to update them.
Once you have a password manager in place, you can start going through your accounts and upgrading the weak ones. Focus first on email, banking, and any account where you can make purchases.