Password Hygiene Checklist
Master password security with best practices for creating, managing, and protecting your credentials.
Complete Password Security Guide
Strong password hygiene is your first line of defense against unauthorized access. Follow this comprehensive checklist to ensure your passwords protect rather than expose you.
Password Creation Standards
Minimum Length: 12 Characters
Use at least 12 characters for standard accounts, 16+ for critical accounts like email and banking.
Character Variety
Include uppercase letters, lowercase letters, numbers, and special characters.
Avoid Dictionary Words
Don't use complete words, names, or common phrases that can be found in dictionaries.
No Personal Information
Never include birthdays, names, addresses, phone numbers, or other personal data.
Unique for Each Account
Every account must have a completely different password to prevent cascade failures.
Unpredictable Patterns
Avoid keyboard patterns like "qwerty" or sequential numbers like "12345".
Password Strength Examples
Weak
password123
Too short, dictionary word, predictable
Fair
P@ssw0rd2024
Common substitutions, still guessable
Good
Tr0p!c@l$unset#92
Longer, varied characters, harder to crack
Excellent
8Qx#mK2p$vL9@nT5zR
Random, long, maximum security
Password Manager Setup
Choose Reputable Password Manager
Select from established options: 1Password, Bitwarden, Dashlane, or LastPass.
Create Strong Master Password
Use a long, memorable passphrase that you'll never forget. Consider using 4-6 random words.
Enable Two-Factor Authentication
Add 2FA to your password manager for an extra layer of protection.
Install on All Devices
Install the password manager app and browser extensions on all your devices.
Import Existing Passwords
Transfer passwords from browsers and other sources into your password manager.
Set Up Emergency Access
Configure emergency access for trusted person in case you lose access.
Password Replacement Protocol
Follow this systematic approach to update all your passwords:
Priority 1: Critical Accounts
Start with email, banking, investment accounts, and primary social media (these can be used to reset other accounts).
Priority 2: Financial Services
Update payment processors, credit cards, insurance, retirement accounts.
Priority 3: Work & Professional
Change passwords for work email, cloud storage, professional networking sites.
Priority 4: Shopping & Subscriptions
Update e-commerce sites, streaming services, online subscriptions.
Priority 5: Other Accounts
Replace passwords on forums, gaming accounts, and other lower-risk sites.
Password Management Best Practices
Never Share Passwords
Don't share passwords via email, text, or messaging apps. Use password manager sharing features instead.
Don't Save in Browser
Browser password storage is less secure than dedicated password managers. Use a proper password manager instead.
Never Write Down Passwords
Avoid writing passwords on paper, sticky notes, or unencrypted digital documents.
Use Generated Passwords
Let your password manager generate random passwords instead of creating them yourself.
Regular Security Audits
Use your password manager's security audit feature to identify weak or reused passwords.
Monitor for Breaches
Use services like Have I Been Pwned to check if your passwords have been compromised.
When to Change Passwords
Update your passwords in these situations:
- Immediately: If you suspect account compromise or receive breach notification
- Immediately: After using a public/shared computer
- Immediately: If you shared the password with someone who no longer needs access
- Every 3-6 months: For high-value accounts (banking, investments)
- Annually: For lower-risk accounts as part of security audit
- Never: If password is strong, unique, and not compromised (frequent changes without reason can reduce security)
Multi-Factor Authentication
Passwords alone aren't enough. Always enable 2FA:
Best: Security Keys
Physical hardware keys (YubiKey, Google Titan) provide strongest protection against phishing.
Better: Authenticator Apps
Apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based codes.
Good: SMS Codes
Text message codes are better than nothing but vulnerable to SIM swapping attacks.
Avoid: Email Codes
Email-based 2FA is weakest option since email compromise defeats the second factor.
Security Questions
Use Fake Answers
Security question answers should be random and stored in password manager, not real information.
Example Approach
Question: "Mother's maiden name?" Answer: "BlueTractor$2019" - Treat it like another password.
Store in Password Manager
Save security questions and fake answers in your password manager's notes field.
Password Recovery Planning
Backup Master Password
Write master password on paper, seal in envelope, store in safe or safety deposit box.
Recovery Codes
Save 2FA recovery codes in secure offline location separate from password manager.
Account Recovery Options
Update recovery email addresses and phone numbers to ensure you can regain access.
Emergency Access
Set up emergency access in password manager for trusted family member.
Common Password Mistakes to Avoid
Don't Do This:
- Using "Password123" or "Qwerty123" variations
- Creating passwords like "Website1!" for each site
- Using personal info: "John1985" or "Fluffy2024"
- Simple substitutions: "P@ssw0rd" or "L3tm3!n"
- Emailing passwords to yourself
- Reusing passwords across multiple accounts
- Keeping default passwords on devices or services
- Sharing passwords via unsecure channels
Passphrase Method
For master passwords you need to memorize, use the passphrase method:
Example Passphrase Creation:
Step 1: Choose 4-6 random words: "correct horse battery staple"
Step 2: Add numbers and symbols: "correct7Horse$battery2Staple!"
Step 3: Make it memorable with a story: "The correct horse costs $7, needs 2 batteries, and pulls a staple truck!"
Result: Long, secure, and memorable
Business Password Policies
If you manage passwords for a team or business:
- Require password managers for all employees
- Mandate unique passwords for all business accounts
- Enforce MFA on all critical business systems
- Implement password sharing via secure tools only
- Regular training on password security
- Audit employee password practices quarterly
- Immediate password changes when employees leave
- Separate personal and business passwords completely