Password managers have gone from niche tool to mainstream recommendation in a few years. Security researchers, journalists, and IT departments all say the same thing: use one. And they’re right. A password manager is probably the single most effective security improvement most people can make.

But there’s a mistake that most people make even after adopting a password manager — one that quietly undermines everything the tool is supposed to do. And it has nothing to do with choosing the wrong manager or setting a weak master password.

The mistake is this: keeping old reused passwords instead of replacing them.

What password reuse actually means

Most people understand that reusing passwords is bad. Ask anyone and they’ll say “yeah, I know I shouldn’t.” But the mental model most people have for why it’s dangerous is slightly wrong.

The common assumption is: if an attacker guesses my password on one site, they’ll try it on others. That’s true, but it’s not the main threat. The bigger problem is data breaches. Sites get hacked constantly. When they do, databases of usernames and passwords get dumped — sometimes immediately, sometimes years later. Those dumps get traded, sold, and fed into automated tools.

An attacker with a database of 50 million leaked credentials doesn’t sit and manually try passwords. They run automated tools called credential stuffing attacks that try millions of username/password combinations against hundreds of sites per hour. If your email and password from a 2018 forum breach are in that database, they’re being tried right now against your bank, your email, your Amazon account.

The scale is hard to grasp. Have I Been Pwned, the breach notification service run by security researcher Troy Hunt, currently indexes over 12 billion compromised accounts. Your email address is almost certainly in there at least once.

Where password managers fail their users

Here’s the thing about password managers: they’re excellent at storing passwords and generating new ones. They’re terrible at forcing you to replace old ones.

The typical adoption pattern goes like this. Someone installs a password manager, imports their existing passwords (which are mostly reused or weak), and starts using it to generate strong passwords for new sites going forward. The old passwords sit there, tagged “I’ll fix these later.”

Later never comes. Studies suggest the average person has over 100 online accounts. Replacing 100 passwords is a multi-hour project that nobody actually does. So the password manager becomes a secure vault holding a mix of good new passwords and compromised old ones — and the attacker only needs one of the old ones to get in.

How to actually fix this

You don’t need to replace 100 passwords today. Prioritise ruthlessly:

  1. Email first, always. Your email is the master key. Every “forgot password” link goes there. A compromised email account is total account takeover across everything you own. Do this one today.
  2. Banking and financial accounts. Generate a new unique password for each. Enable two-factor authentication. Done.
  3. Apple ID, Google account, Microsoft account. These control your devices, payment methods, and often act as login for dozens of other services.
  4. Check Have I Been Pwned. Go to haveibeenpwned.com and enter your email. It will show you which breaches you appear in. Replace passwords for every site in those breaches immediately.
  5. Everything else, over time. Change passwords as you naturally log into services. Set a calendar reminder for one Saturday every six months to work through more of the list.
The 20-minute rule. You don’t need to fix everything at once. Twenty minutes a week replacing five passwords is more effective than doing nothing while waiting to feel ready for a full audit.

What a good generated password looks like

A good replacement password should be generated randomly — not made up by you. Human-generated passwords have patterns. We reach for words we know, years we remember, keyboard walks we find easy to type. Attackers know all the patterns and test them first.

A generated password should be at minimum 16 characters and include uppercase letters, lowercase letters, numbers, and symbols. Something like Kx9#mPqL2vRt@jN5. You don’t need to remember it — your password manager does that. You just need to copy and paste it when you create the account.

Generate a strong password now Cryptographically random, 4–128 characters, runs in your browser
Open Password Generator →

One more thing: the master password

If you use a password manager, your master password is now the most important password you have. It should be the one password you actually memorise — and it should be strong.

The best approach for a memorised password is a passphrase: four or five unrelated random words strung together. Something like “correct horse battery staple” (that specific one is now famous, use different words). A five-word passphrase is both easier to remember and statistically stronger than a complex 12-character password with symbols.

Your password manager is an excellent tool. Make sure the passwords inside it are actually earning that trust.

Continue reading

What actually happens when a website gets hacked Security How to find out if your email was in a data breach Privacy SHA-256 vs bcrypt: which one should you use for passwords? Cryptography