Here’s a hard truth: if you reuse the same password across multiple accounts, you’re one data breach away from giving strangers the keys to your digital life.
It sounds dramatic, but it’s real. Once a password is exposed in one place—say from an old social media account or an obscure website you haven’t touched in years—attackers don’t stop there. They take that password and your email address, then try every possible combination across major platforms: banking, email, cloud storage, payroll systems, even your Netflix account.
This tactic is called credential stuffing, and it’s incredibly effective because most people reuse passwords. The average person has over 100 online accounts—nobody can remember that many unique passwords. So we take shortcuts. Unfortunately, that convenience is exactly what attackers rely on.
The result? A single weak link can unravel your entire digital identity.
The Smarter Way: Use a Password Manager
The simplest, most effective fix is also one of the easiest: use a password manager.
Tools like 1Password, Keeper, or Proton Pass securely store all your passwords in an encrypted vault. You only need to remember one master password—the rest are generated, stored, and filled in automatically when you log in.
Password managers do more than add convenience; they break the chain of risk. Each account gets a unique, strong password, so even if one website is compromised, your other logins remain safe.
Good password managers also sync across devices, autofill login forms, and alert you if any of your saved credentials appear in a known data breach. In other words, they act as your personal digital bodyguard.
How I Approach My Own Password Security
Let me share what my personal system looks like—it’s a bit of a process, but it’s one I trust.
I not only use a unique password for every site, but I also use a unique email address for each one. That’s possible thanks to SimpleLogin, made by the same folks behind Proton Mail and Proton Pass.
SimpleLogin allows me to create email aliases that forward messages to my primary inbox. Each alias is tied to a specific site. Sometimes it’s something predictable like [email protected]; other times it’s completely random, like [email protected]. It depends on how much I trust the service.
I also use a few personal domains for this—one branded with my name for trusted accounts, and another for temporary or lower-trust sites. Domains are inexpensive (around $15 a year) and easy to set up. Since I already pay for ProtonMail, my messages are protected with end-to-end encryption, ensuring private and secure communication.
Either way, I rarely give out my actual email address. Every site gets its own unique identity, which keeps my digital footprint clean, traceable, and far more private.
Once that’s in place, I let my password manager do what it does best: generate a password that’s long, complex, and unique—usually 20 characters or more.
For account recovery questions (“What’s your first pet’s name?”), I don’t answer honestly. Instead, I let my password manager generate a random string of words and store those too. No one—not even I—know the answers, and that’s exactly the point.
For multi-factor authentication, I use a separate app entirely—Authy, Ente Auth, or Proton Authenticator. I don’t mix MFA codes with my passwords, because separating them adds another layer of security.
The only passwords I actually remember are my master passwords for my password managers. Everything else is securely stored and encrypted.
Is it slower? Sure. But that’s the tradeoff. The price of security is a little friction—and to me, it’s absolutely worth it.
And for those rare times when I have to create a password on the fly, without my password manager handy, I have a personal “backup” algorithm: a simple key replacement system where certain letters are swapped for specific numbers or symbols based on a pattern only I know. No, I won’t share it—and that’s kind of the point.
It’s a small safeguard that gives me confidence even when I’m off my usual tools.
Strong Passwords Without the Guesswork
If you want to generate your own secure passwords (beyond what’s built into your password manager), here are a few great tools:
-
Diceware Password Generator: Uses real dice rolls and a word list to create secure, memorable passphrases.
-
EFF Dice Game: The Electronic Frontier Foundation’s printable word list for creating offline passwords.
-
SecureWords Generator: A low-tech but effective tool for generating human-readable passwords.
These methods rely on true randomness, not human creativity—which tends to fall into predictable patterns. A phrase like “purple-lizard-taxi-window” might look silly, but it’s mathematically stronger than “P@ssw0rd123.”
Security Is a Habit, Not a Setting
There’s no “set it and forget it” button for personal security. It’s a mindset—a set of habits that protect your future self.
Using a password manager isn’t just about protecting accounts; it’s about reclaiming control of your digital identity. Every small, intentional choice compounds into a much stronger defense.
If you’ve been meaning to improve your password hygiene, start today. Install a password manager. Generate a few new passwords. Try out SimpleLogin or another aliasing tool.
You don’t have to be perfect—you just have to start.
Because the cost of doing nothing doesn’t show up today. But the peace of mind? That starts immediately.
🔐 This week, challenge yourself to stop reusing passwords. Try a password manager. Create your first alias. Take one small step toward better digital security.
💭 If this resonated, subscribe to Purpose in Practice—my weekly newsletter exploring how leadership, technology, and purpose meet in the real world. Each edition offers questions and insights you can actually apply in your work and life.