Password security fundamentals: what actually matters in 2026

Most password security advice is either outdated or wrong. This guide covers what actually matters based on how modern attacks work.

The threat model

Your passwords face three primary attack types:

1. Credential stuffing — attackers take a breach database (e.g., from a compromised e-commerce site) and try the same email/password combinations on every major service. Automated, fast, and extremely common.

2. Phishing — fake login pages that capture your credentials in real time. May relay them to the real site immediately (real-time phishing proxies), bypassing SMS-based 2FA.

3. Password spraying — attacking many accounts with a small number of common passwords to avoid account lockouts.

Brute-force of strong passwords is not a realistic threat for online services (rate limiting makes it impractical). It matters for encrypted vaults and local files.

What actually protects you

1. Unique passwords per site

This is the single highest-leverage action. If your password at some-obscure-forum.com is the same as your Gmail password, a breach at the forum exposes your Gmail.

A password manager makes this painless. You never need to remember individual passwords — only the master password for your vault.

2. Password length over complexity

A 20-character random lowercase string is harder to brute-force than a 10-character string with symbols. Length matters more than character class mixing.

Modern password managers generate 20+ character random passwords by default. Use them.

3. Phishing-resistant 2FA

SMS codes are not phishing-resistant. Real-time phishing proxies (tools like Evilginx, Modlishka) relay your credentials and SMS code to the target site in real time. The attacker ends up with a valid session.

Phishing-resistant options, in order of strength:

• Passkeys (FIDO2/WebAuthn, passkey credential bound to the domain) — phishing resistant by design. The credential includes the origin; it will not authenticate on a phishing domain.
• Hardware keys (YubiKey, Google Titan) — phishing resistant. The key signs a challenge that includes the origin.
• TOTP apps (Google Authenticator, Aegis, Bitwarden Authenticator) — not phishing resistant, but much better than SMS. Raises the attack cost significantly.
• SMS codes — use only if nothing else is available.

For most people: use a TOTP app on your most important accounts. For high-value accounts (email, banking, primary identity): use passkeys or hardware keys if supported.

4. Breach monitoring

Your credentials may be in breach databases without your knowledge. Services to check:

• HaveIBeenPwned.com — free, covers billions of records
• Most password managers have built-in breach alerts via HaveIBeenPwned’s API

Check your email addresses at HaveIBeenPwned now. If a password from a breached account is reused anywhere, change it.

5. Master password strength

Your vault’s master password is the single point of failure. Make it:

• At least 16 characters (20+ is better)
• Random — use a passphrase from a wordlist, or a random string you write down and store securely
• Never used anywhere else

The threat here is offline brute force if an attacker obtains your encrypted vault. A 20-character random password with a good KDF (Argon2id at reasonable parameters) makes offline attacks impractical.

What doesn’t matter much

• Rotating passwords on a schedule — required by some old corporate policies, actively harmful (forces predictable patterns). Change passwords when breached, not on a calendar.
• Symbols and case-mixing requirements — add minimal entropy versus length. Password complexity requirements often produce Password1!-style predictable patterns.
• “Security questions” — not security. Answer with random strings stored in your vault.

Starting point

If you’re not using a password manager yet:

1. Install Bitwarden (free) or 1Password (paid)
2. Generate and save unique passwords for every account you care about over the next few weeks as you log in
3. Enable TOTP-based 2FA on your email provider first, then every other service that offers it
4. Check HaveIBeenPwned for your email addresses

That’s it. You’re now more secure than the majority of internet users.