Too many data breaches start with a weak or reused password. Drawing on advice from cybersecurity specialist Jake Moore, this post explains the three most effective ways to harden your passwords and, by extension, your entire online presence.
1. Prioritize Length and Unpredictability
The single biggest factor in password strength is length. A short, complex password such as “P@55w0rd!” can be cracked in minutes with modern hardware, while a 16-character phrase can take centuries.
Jake Moore recommends creating a passphrase—a string of unrelated words, numbers, and symbols—for example: “mango-7CandleBlink!tractor”. Because it is both long and unusual, it resists common cracking methods such as dictionary and brute-force attacks.
Key takeaways:
- Aim for at least 14–16 characters; more is always better.
- Combine random words, numbers, and symbols to raise entropy.
- Avoid predictable substitutions like “0” for “o”; attackers test those first.
2. Use a Unique Password for Every Account—Automate It With a Manager
Reusing passwords links your accounts together: if one service is breached, attackers immediately try the same credentials elsewhere, a tactic called credential stuffing. The only reliable defense is to maintain a different password for every login.
Because humans cannot realistically remember dozens of strong passphrases, Moore advocates using a password manager. A reputable manager:
- Stores passwords in an encrypted vault behind a single master passphrase.
- Generates high-entropy passwords automatically (often 20+ characters, fully random).
- Syncs securely across devices, so you’re never tempted to reuse or write passwords down.
Choose a manager that offers zero-knowledge encryption, audited code, and multi-platform support. Popular options include open-source and commercial tools alike—select the one that fits your workflow and security comfort level.
3. Layer Your Defense With Two-Factor Authentication (2FA)
Even the strongest password can be stolen through phishing, keyloggers, or data leaks. Adding two-factor authentication (2FA) places an additional barrier between attackers and your accounts.
2FA methods in order of security:
- Hardware security keys (e.g., YubiKey, SoloKey) – near-immune to phishing.
- Time-based one-time passwords (TOTP) via an authenticator app.
- SMS codes – better than nothing, but vulnerable to SIM-swap attacks.
Enable 2FA on every critical account—email, banking, cloud storage, social media. The additional 30 seconds at login is insignificant compared to the time you’d spend recovering a compromised identity.
Putting It All Together
Security is strongest when layered. Create long, unique passphrases, store them in a password manager, and lock every account behind 2FA. Follow these three practices consistently and you’ll shut down the vast majority of attacks that begin with stolen or weak passwords.