What is Good Password Hygiene in 2026?
What is Good Password Hygiene in 2026?
In some of our more recent cyber-security posts, I’ve referenced the importance of good password habits as a vital element of making your online accounts harder to compromise. But what exactly does good password hygiene look like in 2026 and why is it something you need to continue to pay attention to?
Let’s answer the second question first. Hackers and data breaches are more common than ever, and not going away any time soon. It is virtually impossible to not have any online presence in today’s world, so we each have to do our part to keep our information as safe as possible online.
We often hear people expressing stress or angst about these potential threats, while continuing to engage in lazy cyber-security habits that leave them vulnerable. And password creation, use, and storage is one of the habits putting many of us at risk of exploitation by bad actors.
But password advice comes and goes… so what constitutes password best-practices today, in a world of rapidly advancing technology?
Before we even discuss creating good passwords and storing them safely, it’s worth saying that the use of a numeric pin or biometric (facial recognition or fingerprint) passkey is actually a substantially safer option than a password where available. So, if you are logging into an account that has already transitioned to making a passkey available as a password alternative, that’s a far better option than even the longest, most complex, most unique password out there.
Right now, these are not universally available on every site where you might order coffee or check on your health insurance, but they’re becoming more and more available on larger platforms (like Google, Microsoft, and Apple) as well as on many sites that require higher levels of security, like those involved in money storage and financial transactions.
We know it’s a pain to have to retrieve that text message or open that authenticator app, but 2-Factor Authentication provides a high additional level of protection in a day and age where it is a near certainty that some of your passwords will be compromised at some point. So, wherever it is an option, turn it on, and use a text message or an authenticator app to receive the 2FA code (not email).
Not only will this typically prevent someone who has stolen your password from logging into your account, it will also alert you if you’ve got a compromised password that someone is trying to use. If you receive a text with a verification code, and you’re not trying to log in to the site it’s coming from, that means your password has been compromised, and you need to log into the site immediately and create a new one.
And, although we wish we didn’t have to say it, DON’T share a 2FA code with anyone.
No one legitimate will ever call you and ask you for that code. If you get a 2FA code, and a phone call from the company who sent it asking you for it, HANG UP!
2FA codes are not meant to be shared, and no legitimate company is ever going to call, text, or email you and ask you for them.
Long and complex passwords are harder to hack by “Brute Force” (where someone sets a computer to simply try as many passwords as possible on your account until they find one that works). How long, and how complex, they need to be to resist this type of hacking changes over time, but going into 2026, we’d recommend 16 characters or longer.
Hive Systems puts out a table each year that basically shows you how quickly your passwords could be brute-force hacked based on length and complexity, and their 2025 table can be found here.
Unique passwords are also extremely important, but for a different reason. And by unique, we don’t mean slight variations on the same password. An extremely common way that bad actors get access to your accounts is by hacking a relatively non-secure site, and then using the data found there, including your username and password, to attempt to log in to higher stakes sites – like your bank or your email.
If you’re using the same password for everything, you’re basically giving someone a free pass into those accounts. The reality is, while it’s important to protect from hacking, most security breaches start with password reuse, not brute force hacking.
We understand that the requirement for unique passwords can be extremely overwhelming now that the average person has between 170 and 190 password protected accounts.
So, if you’re feeling overwhelmed by the task in front of you, start with the most critical log-ins first! Online banking, email, and any other place where highly sensitive data is stored should be at the top of your list to create long, complex unique passwords, making it less likely that if your health insurance provider gets hacked, they’ll be giving up the key to your bank account.
Strong passwords can be hard to remember and even harder to generate, so the use of a good, reputable password manager is an important tool. Not only does it securely store passwords, but a good password manager also encourages the creation and use of long, complex, and unique passwords.
Even better, a password manager provides additional layers of protection against things like phishing attempts by not auto-filling a password on a site that appears to be the same as the one you normally use, but is actually a fraudulent set up to steal your login information.
Typically, it is best not to rely on the password managers built into your browser, as they often lack important security features.
For example, Google Chrome lacks a zero-knowledge infrastructure, meaning that technically, your passwords stored in the Google Chrome password manager can be accessed by Google. But, even more problematically, if your Google Account is compromised, so are all your passwords. And, since people often take a very relaxed approach to their email security, often leaving themselves logged in indefinitely on all of their devices, it’s best NOT to have your password protection connected to your Google/Gmail account, as it creates a single point of failure (especially if your Gmail account is also what you’re using for 2 Factor Authentication, which is why we recommend text or authenticator apps).
Leaving your computer, phone, tablet or other devices without password protection (or password protected, but regularly unlocked when you’re not around), in combination with habits like staying perpetually logged in to sites like your email provider, or skipping two factor authentication on your home or recognized computer, is a dangerous combination of behaviors that can be addressed by simply making sure you have a strong password on your computer, and routinely, habitually, locking your devices when you are away from them.
To lock your computer, you can use the keyboard shortcuts Windows Key + L on a PC or Ctrl + Shift + Q on a Mac. Once you do that, you, or anyone else trying to access your computer, will be required to re-enter your password, pin, or biometric ID to regain access to your computer, and all the things you may have left yourself logged in to.
Most of us don’t consider the people we invite into our homes to be major security risks, but the reality is, there are often a lot of people in and out of our homes (friends, family, and service providers).
If you wouldn’t leave $500 lying around on the table when these folks were visiting, you should ask yourself why you feel so comfortable leaving easy access to an unprotected computer that could be easily logged into your bank account.
Again – we wish we didn’t have to say it, but please don’t leave your password taped to the bottom of your keyboard. No sticky notes allowed!
Ideally, pick a password you can remember, and don’t write it down anywhere, or if you do need to write it down, keep it locked up securely.
The unfortunate reality is that technology is constantly evolving, and you can put a lot of systems in place to protect your passwords but still be a victim of fraud.
One of the best tools you have is to maintain awareness while using the internet to keep yourself and your login credentials safe.
In many ways, the mindlessness with which we engage our technology is a major culprit here. We wouldn’t dare cross a busy 4-lane road while distracted by a million other things (well, we shouldn’t anyway), yet we’re prone to do just that when it comes to clicking around on the internet.
We know it’s hard, but working to adopt more intentional and awareness-based habits when you’re using email, downloading apps, and entering your log in credentials is extremely important.
So, as you embark on creating safer overall password practices for yourself, we also encourage you to try to stay present while working online.
It’s a good idea to practice:
- An intentional pause before you click on links in emails. If you’re not sure, don’t click on it, and find an independent way to verify its legitimacy.
- Notice that feeling you get when something feels off. If you’ve gone to a website, but your password manager isn’t automatically filling your credentials, that might at first make you wonder if your password manager is working correctly, but realistically, what you should be wondering is, “am I really on the site I think I am?”
- Take security breaches seriously and assume that after them, your login credentials are out there. Using a site like Have I been Pwned? can help show you just how many of your supposedly secret passwords have been found in data breaches, and may help motivate you to create newer, stronger, more unique passwords in the future.
The Best Way to Eat an Elephant…
…is still one bite at a time. We know how poor most people’s password and computer security habits are. We see it and hear about it all the time. But we also know that for many, it can be overwhelming and incredibly time consuming to do this all at once, and that the overwhelm can stop you in your tracks.
So, if all you do today, to start, is go set a unique, long, complex password (or better yet a passkey) on each of your financial accounts. Even just for one! That’s a great place to start.
Maybe next week, tackle another item on this list. Don’t let the amount of work that might be in front of you stop you from taking small, meaningful steps in the right direction.