Password Security Checklist 2026: 10 Steps to Protect Your Accounts
A practical 10-point password security checklist — length, uniqueness, 2FA, password managers, and common mistakes with real breach statistics.
Written by Alex · Developer & Founder
Solo developer based in Adelaide, Australia. Built MyEasyTools to make everyday file and text tasks faster and free for everyone.
Get more from MyEasyTools — No ads, higher limits, faster processing
More than 24 billion username and password combinations were exposed in data breaches in 2024 — a figure that includes credentials from breaches at major banks, healthcare providers, and retail platforms. Most of those stolen passwords were reused across multiple accounts, which turned one breach into many.
This checklist covers the 10 things that actually prevent account compromise. None of them require technical expertise.
The checklist
1. Use a minimum of 16 characters
Password length is the single most important factor in resistance to brute-force attacks. Here's why:
An 8-character password using mixed case + numbers + symbols has 95^8 = roughly 6.6 quadrillion possible combinations. Modern GPU hardware can test over 100 billion combinations per second. That 8-character password falls in under a minute.
A 16-character password at the same character set has 95^16 = 4.4 × 10^31 combinations — far beyond any practical attack.
The password generator on MyEasyTools defaults to 16 characters and uses window.crypto.getRandomValues() — the browser's cryptographically secure random number generator, not the guessable Math.random().
2. Use a different password for every account
This is the most important practice and the most neglected. In 2024, 65% of people admitted to reusing passwords across accounts (Google/Harris Poll survey). When one account is breached, attackers immediately try those credentials at hundreds of other services — a technique called credential stuffing.
If your email password was reused from a breached forum, your email is compromised. From email, attackers reset every other account. One reused password cascades into a total account takeover.
3. Enable two-factor authentication (2FA) on every important account
Two-factor authentication requires a second proof of identity beyond the password — a code from an app, a hardware key, or a biometric. Even if your password is stolen, 2FA blocks the attacker.
Priority order for 2FA:
- Email — controls password resets for everything else
- Banking and financial services
- Work accounts
- Social media with large followings or personal data
- Password manager
Use an authenticator app (Google Authenticator, Authy, or Bitwarden's built-in 2FA) over SMS if possible — SIM swapping attacks can intercept SMS codes.
4. Use a password manager
A password manager generates, stores, and auto-fills unique, random passwords for every site. You only need to remember one strong master password.
Well-regarded free options include Bitwarden (open source, cloud sync) and KeePassXC (local storage, no cloud sync). Paid options include 1Password and Dashlane.
Without a password manager, unique 16-character passwords for 50+ accounts are genuinely not memorable — and writing them down creates a physical security risk. Password managers solve this problem.
5. Never use personal information in passwords
Passwords like Sarah1990! or Labrador2023 are not secure despite meeting typical "length + symbol" requirements. Attackers use dictionary attacks that combine common names, dates, places, pet breeds, sports teams, and keyboard patterns with character substitutions.
If you were born in Melbourne in 1992 and your dog is named Max, those facts are in the attacker's dictionary whether you realize it or not.
Truly random passwords (generated by a CSPRNG, not chosen by you) don't have this weakness.
6. Never reuse passwords from old accounts
Exposed password databases from past breaches are publicly available. Attackers run every leaked password against new targets. If you used MyCat@2018! seven years ago and it was in a database leak, it will be tried against your current accounts.
When a site announces a breach, change that password immediately — and check whether you used it anywhere else.
7. Use a passphrase for master passwords
Your password manager master password (and other passwords you must type regularly) should be something you can remember without writing down. A passphrase — four to six random words strung together — is both memorable and cryptographically strong.
correct-horse-battery-staple (from the famous XKCD comic) has roughly 44 bits of entropy — stronger than a random 8-character password. Six words approaches 78 bits. Use a passphrase generator (available in MyEasyTools) for this.
8. Check if your email has been in a breach
HaveIBeenPwned.com is a free service maintained by security researcher Troy Hunt. Enter your email address and it shows which publicly known data breaches include your email.
If your email appears in a breach, change the password for that service (and any sites where you used the same password) immediately.
9. Don't store passwords in plain text or browser notes
Passwords saved in browser autofill are encrypted and generally safer than plain text. But notes apps, spreadsheets, sticky notes, and text files are not encrypted — anyone with access to your device can read them.
If your notes app doesn't have a master password and end-to-end encryption, it is not a safe place for passwords.
10. Watch for phishing — the most common attack vector
No password is secure against phishing. A phishing attack sends you to a convincing fake login page and captures your credentials when you type them. The page looks real; the URL is slightly wrong (g00gle.com instead of google.com).
Signs of phishing: unexpected login prompts via email links, slight URL misspellings, urgent language ("your account will be suspended"), and requests to "verify" your information.
Password managers help here: they auto-fill credentials only on the exact domain they were saved for, so a fake site won't get auto-filled credentials — giving you a moment to notice the wrong URL.
Common mistakes
"My password is complex, so it's secure." Complexity (symbols, capitals) matters far less than length. !@#$%^& is a terrible password despite being "all symbols." correcthorsebatterystaple is much stronger.
"I'll remember to change it after the breach." By the time breaches are publicly announced, they're often months or years old. Change important passwords annually regardless.
"2FA by SMS is secure." SMS 2FA is much better than no 2FA, but is vulnerable to SIM swapping. Use an authenticator app when possible.
"My password manager could be hacked." Yes, theoretically. But it's far more likely that your 20 reused passwords will be compromised in a breach than that your encrypted password manager vault will be cracked. The math strongly favors the password manager.
FAQ
How often should I change my password? Change passwords after a known breach, if you suspect compromise, or if you've been sharing access with someone who no longer needs it. Annual rotation on critical accounts (email, banking) is reasonable. Mandatory 90-day rotation without cause (a common corporate policy) has been shown by NIST research to actually reduce security because it leads to predictable patterns.
Is it safe to use a browser's built-in password manager? Chrome, Safari, and Firefox password managers are encrypted and generally safe for everyday accounts. Their main weakness: they don't work cross-browser, and if your Google/Apple account is compromised, all saved passwords are at risk. Standalone password managers (Bitwarden, 1Password) have more security controls.
What should I do if I think my account is compromised? Change the password immediately. Enable 2FA if it isn't already. Check your account's login history for unfamiliar sessions. Change the same password on any other sites where you used it. If it's your email, check for forwarding rules or other tampering.
Are random passwords actually better than memorable ones? For security, yes — provably. Random passwords drawn from a CSPRNG have maximum entropy. Memorable passwords rely on patterns that attackers know about. For passwords you must type daily, use a long passphrase (6 random words). For everything else, use randomly generated passwords stored in a manager.
How many characters should a truly secure password have? 128 bits of entropy is considered effectively uncrackable with foreseeable technology. A password using 94 printable ASCII characters reaches 128 bits at ~19 characters. A 20-character random password using full character set is practically secure for any realistic threat model.