9 ways to make your passwords less bad

Passwords feel like a necessary evil. You need them everywhere, they're impossible to remember, and just when you think you've got a good one, some expert on the internet tells you it's already cracked.

But passwords don't have to ruin your day. With the right approach, you can make security so effortless that you'll actually stop thinking about it.

The catch is that most people approach password security backwards. They try to create the "perfect" password and memorise it, get frustrated, and reuse the same weak one everywhere. There's a better way: stop relying on willpower and start relying on systems. Do the 9 things we talk about in the next paragraphs, set them up properly, and then you can literally go enjoy your life while your accounts stay locked down.

Stay safe. Backup your data with Koofr.

Part 1: Break These Bad Habits First

The first four habits are about focusing on and recognising what you're doing wrong. They're common mistakes, and understanding them is the foundation for everything that follows.

Habit 1: Stop Using the Most Common Passwords

This should be obvious, but it bears repeating: never use passwords that appear on the "most used" lists.

We're talking about:

• 123456
• password
• qwerty
• 111111
• 123123

Hackers don't try to crack your password with random guesses. They use dictionary attacks - they try every common password they know exists. These passwords can be broken in under one second by basic cracking software.

It's like choosing your front door lock from the five models that 90% of people use. Yes, you technically have a lock, but so does everyone else, and thieves know exactly how to open them.

The lesson: If you've ever seen a password on a "worst passwords" list, don't use it. Ever.

Read more here Strong Passwords & How to Remember Them

Habit 2: Use Very Long Passwords

Length beats complexity every single time. A lot of people think the password P@ss9xQ! is stronger than my golden retriever loves peanut butter. It feels clever—it has capitals, symbols, numbers. But it's not. Modern cracking tools can test variations of short "complex" passwords incredibly fast. What they struggle with is length.

The longer your password, the exponentially harder it becomes to crack. A password with 20 characters is astronomically harder to break than one with 10, even if the shorter one has more symbols.

If a password has 94 possible characters and is 8 characters long, there are roughly 6 quadrillion combinations. But a 20-character password? That's 94 to the 20th power—a number so large it's essentially uncrackable by brute force.

The practical approach: Use a phrase instead of a word for your password. Something boring is perfect:

- the cat sat on the windowsill at noon
- my coffee was cold this morning
- I forgot my passport in the green bag

These are long, boring, easy to remember and genuinely strong.

Habit 3: Don't Swap Characters for Symbols (It Doesn't Work)

Swapping "a" for "@", "e" for "3", or "o" for "0" feels like it creates a unique password. It doesn't. Modern AI-driven password-cracking tools know about these substitutions, and they're not fooled by them.

These swaps are predictable, and they're the first thing attackers test. If they know your base password is "password", they'll automatically test "p@ssw0rd", "p4ssw0rd", and every other variation in seconds.

It gives you the illusion of strength without the actual security.

The real solution: Don't try to make a weak password look stronger by adding symbols to predictable positions. Instead, use a long, unpredictable phrase as in Habit 2, or use a password manager (which we'll get to in a moment).

Habit 4: Avoid Common Phrases, Quotes, and Pop Culture References

Your password should never be:

• A famous movie quote ("May the Force be with you")
  
• Lyrics from a well-known song ("Imagine all the people")
  
• A celebrity name
  
• A famous book title
  
• A popular phrase from the internet

Why? Because these are in dictionaries. Attackers maintain massive lists of famous quotes, song lyrics, and pop culture references. If it's been said or written somewhere in public, it's in their dictionary.

The same applies to meme references or trending phrases, even if they feel obscure. If thousands of people know it, thousands of attackers know it too.

The pattern to avoid when choosing a password: Anything that could appear in a book, film, song, or widely-read article is too recognisable.

Part 2: Build Healthy Maintenance Habits

Now that you know what not to do, let's talk about how to actually manage passwords.

Habit 5: Never Reuse a Password

This is where a single breach becomes a complete digital catastrophe.

Here's a common scenario: You use the same password for your email, banking app, social media, and work accounts. A hacker breaches your social media account (which happens all the time). They now have your password. Within minutes, they try that same password on your bank, your email, your work system. One compromised password = total digital takeover.

This is called credential stuffing, and, it's how most serious account breaches happen—not because your password was weak, but because it was reused.

The rule: Every single service you use should have a unique password. Every. Single. One. No reusing. No "variations" of the same password. This is practically impossible to do manually, which is exactly why the last two habits exist.

Habit 6: Test Your Passwords (Before Attackers Do)

Before you deploy a password anywhere, test it. Find out if it's actually strong or if it's already compromised. Several free tools can tell you this:

• Have I Been Pwned: Check if your email address appears in known data breaches. If your password is already floating around the internet from a previous breach, stop using it immediately.
• Password Monster: It tests password strength and tells you how long it would take to crack it.
• Security.org's Password Strength Checker: Simple and straightforward strength testing.

The process:

1. Think of a password
   
2. Test it with one of the mentioned tools
   
   • If it's already been breached, generate a new one
     
   • If it's strong, use it
     

This takes about 30 seconds and saves you from deploying a compromised password.

Note: Never paste your actual password into random websites. Use a reputable service like Have I Been Pwned (use your username or email, not the actual password).

Habit 7: Don't Share Your Password, and Don't Enter It on Unsafe Websites

This sounds basic, but there's more to it than just "don't tell people your password."

What not to do:

• Don't share passwords via email, text, or chat
  
• Don't write passwords on sticky notes at your desk
  
• Don't tell colleagues or family members your account passwords
  
• Don't enter your password on websites that don't have a secure connection

How to spot a secure website:
Look for the padlock icon in your browser's address bar, and check that the URL starts with https:// (not http://). These indicate the connection is encrypted.

If you're on a website without a lock icon and it's asking for a password, stop. Don't enter anything sensitive.

The sharing problem: If you must share access, use a shared password within your password manager instead of telling them your password directly. This way, if they compromise the account, you can revoke access without changing the password. We'll explain this more in Habit 8.

Part 3: Automate Everything (The Game-Changer)

The first seven habits work, but they require constant vigilance. The last two habits are where you stop fighting and start automating. This is where security becomes effortless.

Habit 8: Use a Password Manager

A password manager is the single most important tool for modern password security. It solves almost every problem we've discussed:

• It generates long, unique, random passwords for you (no thinking required)
  
• It stores them securely (encrypted, not in your brain)
  
• It remembers them (so you don't have to memorise dozens)
  
• It can autofill passwords on websites (faster than typing)
  
• It alerts you if a password has been compromised
  
• It can share passwords securely with family members without revealing the actual password

How it works: You create one strong master password (something only you know). This password unlocks your entire password vault. Inside that vault, you store every other password you use. The password manager encrypts everything with that master password, so even if the service is hacked, your passwords remain protected.

From that point on, when you visit a website, your password manager fills in your username and password automatically. You log in, and that's it. You never need to remember a single password except your master password.

These free password managers can be connected to Koofr:

• Enpass
• Keepass2Android
• KeePassXC (migrating from LastPass)

Popular open-source and affordable password manager is also Bitwarden.

Each password manager has different features, but they all solve the core problem: unique, strong passwords for every service.

Koofr tip: Use a password manager to protect your Koofr account with a strong, unique password. Then enable 2FA (next habit) to add an extra layer of protection.

The setup (that requires one-time effort):

1. Choose a password manager
   
2. Create an account with a strong master password
   
3. Add your current passwords to it (or let it generate new ones)
   
4. Set it to autofill when you log in to websites
   
5. Done

From that moment on, password management is automatic.

Read more here World Password Day 2024: Secure Your Digital World with Password Managers

Habit 9: Use Two-Factor Authentication - The Ultimate Safety Net

Even with a strong, unique password, there's still a risk: if someone gains access to your password (through a data breach, malware, or phishing), they can get into your account.

Two-Factor Authentication (2FA) is your insurance policy. It means: "Even if you have my password, you can't get in without a second form of proof that you're me."

Read more here How Two-Factor Authentication Improves Your Online Security

How 2FA works:

1. You log in your account with your password
   
2. The website asks: "Who are you really? Prove it."
   
3. You provide a second proof - usually one of these:
   • Authentication app code (an app like Google Authenticator or Authy generates a new 6-digit code every 30 seconds),
   • SMS text message (the website sends you a code via text, which you enter),
   • Passkey (a cryptographic key stored on your device),
   • Biometric (your fingerprint or face)

The attacker has your password, but they don't have your phone, your authentication app, or your fingerprint. They're locked out.

Which method is best?

• Passkey (best): Cryptographic keys that are nearly impossible to phish or steal. They're the future of authentication.
  
• Authentication app (very good): TOTP codes that only work for 30 seconds and aren't vulnerable to SIM swapping like SMS is.
  
• SMS (acceptable but risky): Better than nothing, but vulnerable to SIM swapping and interception.
  
• Email code (okay): Better than SMS, but still prone to phishing if an attacker compromises your email.

Koofr tip: Koofr supports 2FA including authentication apps and passkeys. Enable it on your account for maximum protection.

We strongly suggest you do set up 2FA for:

• Email (critical—if someone gets in, they can reset all your other passwords)
  
• Banking and financial services
  
• Cloud storage (like Koofr)
  
• Social media
  
• Work accounts

The reality check: Yes, 2FA adds a tiny bit of friction. You have to enter a code or approve a prompt when you log in. But that friction is infinitely better than having your account compromised.

The Strategy: Set it and Forget it

Here's where everything comes together. If you implement Habits 8 and 9, the first seven habits become essentially automatic:

• You're not trying to create a perfect password anymore (your password manager does it)
  
• You're not worrying about reusing passwords (they're all unique by default)
  
• You're not memorising passwords (your manager remembers)
  
• Even if someone steals your password, 2FA stops them at the login screen
  

Your action plan:

• This week: Choose and set up a password manager. Add your most important accounts (email, banking, Koofr).
  
• Next week: Enable 2FA on those same accounts.
  
• Over the next month: Gradually add all your other accounts to the password manager and enable 2FA where available.
  

That's it. After a few weeks of setup, your password security is on autopilot. You've done your digital chores. Your accounts are locked down. Your mind is clear. And then you can go enjoy that nice café you've been thinking about.

Conclusion: Security That Actually Works

The biggest myth about password security is that you need to remember complicated things. You don't. You need systems.

Strong passwords, unique credentials, and multi-factor authentication aren't luxuries—they're the bare minimum in 2026. And thanks to password managers and 2FA, they're no longer optional tools only for tech experts. They're practical, affordable, and, honestly, easier than memorising passwords.

Try Koofr. Your online peace of mind.

Your digital life is valuable. Your email account is the master key to everything else. Your bank account, your cloud storage, your identity, they all depend on password security. And you don't have to do this perfectly. You just have to do it.

Editor's Note: This post was first published in 2019. We've updated and enhanced the content to improve clarity and detail. Whether you're revisiting or reading it for the first time, we hope this improved version offers an even better experience.

Want to talk to us? Join our growing Reddit community!