Target Hardening
February 2, 2026
Think about your physical keys for a moment.
You probably have a key to your house, maybe one to your car, possibly one to your office. They’re all different. If someone found your car key, they couldn’t use it to walk into your house.
Now think about your passwords.
If you’re like most people, you use the same password—or minor variations of it—across dozens of websites and apps. Maybe you add a number at the end for some sites. Maybe you capitalize a letter. But the core password is the same.
Here’s the problem: if any one of those sites gets breached, every account sharing that password is compromised.
Data breaches happen constantly. Companies you’ve never heard of get hacked, and databases full of usernames and passwords end up for sale on criminal forums. The website haveibeenpwned.com tracks known breaches. As of now, they’ve cataloged over 14 billion compromised accounts.
When criminals get these password lists, they don’t manually try logging into your bank. They use automated tools that test your email and password combination across hundreds of popular services in seconds. This is called credential stuffing, and it works because people reuse passwords.
The math is simple: if you use the same password on thirty sites, and one of those sites gets breached, you now have thirty vulnerable accounts.
You’ve probably seen the requirements: eight characters, one uppercase, one number, one special character. This advice is outdated.
What actually matters is length and uniqueness.
Length: A 20-character password made of random words is vastly stronger than an 8-character password with symbols. Each additional character multiplies the possible combinations exponentially.
Uniqueness: A password that’s never been used before, anywhere, is stronger than any clever pattern. If your password appears in a breach database, its complexity doesn’t matter—attackers already have it.
The password “Tr0ub4dor&3” feels secure. It has mixed case, numbers, and a symbol. But it’s only 11 characters, follows predictable substitution patterns, and variations of it appear in breach databases.
The password “correct horse battery staple” is 28 characters, easy to remember, and significantly harder to crack. Length wins.
The only practical way to use unique, strong passwords everywhere is to stop trying to remember them yourself.
A password manager is a program that:
You remember one master password to unlock the vault. The manager handles everything else.
The common objection: “But if someone gets into my password manager, they have everything!”
True. But consider the alternative: if someone gets one of your reused passwords from any breach, they potentially have everything anyway. At least with a password manager, there’s only one target to protect, and you can protect it well.
Recommended password managers:
Any of these is better than reusing passwords.
Changing all your passwords at once is overwhelming. Don’t try. Here’s a practical approach:
Day 1: Set up a password manager. Create a strong, unique master password—ideally a passphrase of 4-5 random words you can memorize.
Week 1: Change passwords for your most critical accounts—email, banking, anything financial. Use the password manager to generate and store unique passwords.
Ongoing: Every time you log into a site and the password manager doesn’t have the password, that’s a reminder. Update it to a unique generated password.
Within a few months, you’ll have unique passwords everywhere without ever doing a massive password reset marathon.
While we’re talking about account security, this deserves mention.
Two-factor authentication (2FA) means logging in requires something you know (password) plus something you have (usually your phone). Even if someone steals your password, they can’t log in without the second factor.
Enable 2FA on:
The strongest 2FA options:
Any 2FA is better than none.
Most people don’t change their habits because they’ve never been personally affected. “I’ve used the same password for years and nothing bad has happened.”
The thing about credential stuffing is that you might not know when it’s happened. Someone logs into your old Spotify account? You might not notice for months. An old forum account from 2015? You probably forgot it existed.
The serious damage happens when the password you used on that forgotten forum is the same one protecting your email. Once someone has your email, they can reset passwords to everything else.
The risk isn’t being personally targeted by sophisticated hackers. The risk is being collateral damage in the next breach, one of millions of credentials tested against millions of sites by automated tools.
If you do nothing else:
That’s the floor. Your email is the skeleton key to your digital life—anyone who controls it can reset passwords to everything else. Protect it first.
Everything else is incremental improvement from there. But that baseline protects you from the most common attack: someone finding a reused password in a breach and walking into your accounts.
Next in the Target Hardening series: “Settings That Actually Matter” — the defaults that are working against you and which ones are worth changing.