Why Even Strong Passwords Aren't Enough Anymore
This World Password Day, it’s time to rethink everything you thought you knew about password safety (and how to actually protect your digital life)
We’ve been trained to believe one thing about passwords: “If it’s complex, I’m good to go.”
Set your password to something like “9n5yHvWVm%3j6jCD@b31” and basically forget it.
But here's the uncomfortable reality:
Complex passwords are no longer enough. They’re now just one part of the account security equation. In fact, the “complex password” advice may be a problem by giving a false sense of security.
Please don’t take this the wrong way. Complex passwords are important, but they’re not a silver bullet.
Even tech-savvy folks fall into this trap. Maybe they use a password manager and set strong passwords. They assume they’re safe.
But then… one reused password here, one forgotten, unsecured account there, and now the door is cracked open to a Bad Actor. Or your login credentials could be sitting in a leaked database right now, waiting to be used against you.
So this World Password Day, don’t just pat yourself on the back for having a strong password. Take the opportunity to ask a better question:
What else can I do to lock things down, before someone else finds the gaps?
Below are some suggested steps on how to stack some password related privacy wins. Be sure to at least scroll to the end for a graphic summarizing these steps, which is great to share with your friends, family and social networks.
The Small Privacy and Security Wins: Easy actions that make a huge difference
Let’s start with some low-hanging fruit. These are things you can do right now that will instantly make you a harder target.
1. Start using a password manager
If you’re still memorizing passwords or recycling your go-to combo with a number tacked on (we see you, Password123!), you’re playing with fire.
A password manager makes it easy to generate and store strong, unique passwords for every site you use. That way, if one site gets hacked (and it will), your other accounts stay safe.
Top password manager picks:
ProtonPass (link) – a good fit for Protonmail and ProtonVPN users
Bitwarden (link) - open source and privacy-friendly.
2. Enable two-factor authentication (2FA) everywhere
This is an extra line of defense. Even if someone gets your password, they can’t get in without that second step.
But don’t use SMS/texting if you have other options.
Instead, use an authenticator app like Ente Auth. SMS codes can be hijacked via SIM swap attacks.
3. Check if your credentials have been leaked
Go to haveibeenpwned.com and enter your email addresses. If you see hits, it means your passwords have been exposed, and you should change them immediately.
✉️ One Password, One Email: The Extra Layer Most People Miss
Let’s say you’ve nailed the basics:
Strong, unique passwords.
Two-factor authentication (authentication app preferred).
A solid password manager.
That’s a great start. But there’s one more move 95%+ of people overlook:
👉 Use unique email addresses for your accounts.
Here’s why it matters:
When hackers target your accounts, they don’t just “guess” your password, they guess your email (or username) + password combo.
And because most people reuse the same email across dozens (or hundreds) of accounts, attackers only need to get it right once.
But if each account has a different email alias, suddenly their job gets way harder. Even if one account gets compromised, the damage stops there.
Regular readers know that disposable email addresses are a passion of ours. We have a whole series on the topic. See these posts to get started if you’re new to the tech.
Credential stuffing is the real enemy
Here’s what most people don’t understand: hackers aren’t actually guessing your password. They’re recycling it.
This tactic is called credential stuffing, and it’s incredibly effective. Hackers take databases of leaked passwords from one breach (say, LinkedIn), then try logging into other sites using the same credentials.
If you’ve ever reused a password (even once) you’re vulnerable.
Credential stuffing is why even strong passwords can’t protect you if you reuse them. It’s not about brute force, it’s about scale. Bots can test thousands of login combinations a second.
That’s why password reuse is one of the biggest security holes most people overlook. Even recycled “complex” passwords are a vulnerability. And it’s what leads directly to one of the most frustrating and devastating attacks we’re seeing more often.
Social media hijackings are the new identity theft
You might not care much about your old Tumblr account, or the Spotify login you share with your roommate. But hackers do.
They know that once they’re in, they can do real damage:
Lock you out of your own Instagram or Facebook
Impersonate you to scam your followers
Run ads using your payment info
Demand ransom for your account back
And here’s the worst part: Recovering a hijacked social media account is often a nightmare.
Platforms like Meta and X (Twitter) are notoriously slow to respond. In many cases, victims never get access back.
Hackers aren’t just breaking into accounts for fun. They’re using them to run scams, steal money, and sell access. And if your account has a large following, it’s a high-value target.
What makes you vulnerable?
Reused passwords
Weak or missing 2FA
Phishing attacks via DMs or email
Malware
If you think it won’t happen to you, remember this: It’s already happening to people just like you every day.
🔥 Real Harm Happens All the Time
This isn’t fear-mongering or some edge case scenario. Real harm from poor password practices happens every day. Here are some recent examples:
🔹 23andMe Data Breach (2023)
In October 2023, genetic testing company 23andMe suffered a significant data breach due to a credential stuffing attack. Attackers used reused credentials from other breaches to access approximately 14,000 user accounts. Due to the interconnected nature of 23andMe's DNA Relatives and Family Tree features, the breach expanded exponentially, exposing sensitive personal and genetic data of approximately 5.5 million users and 1.4 million additional profiles.
🔹 Roku Credential Stuffing Attacks (2024)
In April 2024, streaming service Roku disclosed that 576,000 accounts were compromised in credential stuffing attacks. Attackers used login information stolen from other online platforms to breach active Roku accounts, leading to unauthorized purchases and access to personal information.
🔹 Hot Topic Data Breach (2024)
American retailer Hot Topic reported in March 2024 that two waves of credential stuffing attacks in November 2023 exposed affected customers’ personal information and partial payment data. The attacks highlighted the vulnerabilities in retail systems to credential reuse and inadequate password protections.
🔹 Meta Account Hijackings (2023)
In 2023, a coalition of 40 U.S. state attorneys general urged Meta Platforms to address the increasing issue of account hijackings on Facebook and Instagram. New York experienced a 1,000% increase in complaints since 2019, with significant surges in other states as well. Scammers gained control of accounts, changed passwords, and exploited contacts for scams, causing emotional and financial distress to users.
Bonus: read about a friend of ours who had his Facebook account hijacked:
Become “unhackable” with hardware security keys
Here’s where you can level up.
If you’re ready to go from decent security to near bulletproof, invest in a hardware security key.
Think of it like a physical key for your digital life.
Devices like YubiKey plug into your computer or phone and act as your second factor. No one can log in without the physical key in hand.
Even if a hacker steals your password, even if they try to reset your account, without that hardware key, they’re locked out.
For high-value accounts (email, banking, social media, crypto, admin logins), hardware keys are the gold standard.
They’re also phishing-resistant, which means even if you accidentally click a fake login page, your key won’t let you log in to the wrong site.
That’s next-level protection. Read more on hardware security keys here:
A New Way to Think About Passwords
Here’s the truth: Every login you create is a door. And whether it stays locked or wide open is up to you. What’s at stake is critical:
Your financial records.
Your private conversations.
Your business data.
Your family photos.
Your online identity.
Your reputation.
Most people treat cybersecurity like a chore. But if you’ve gotten this far, you’re built differently. You're starting to see it for what it really is:
A skill. A responsibility. A way to differentiate yourself from the pack.
Because while everyone else is still thinking “just don’t use ‘123456’,” you’re five steps ahead, making yourself a harder target. You’re locking down your key accounts strategically, smartly, and with the right tools.
Final checklist for World Password Day
Here’s your action list. Set a ~15-minute timer this week and start knocking these out:
Share this post or at least this graphic with your network. They’ll thank you for it and you’ll look super smart. 🧠
Got something to add? A question? Drop a comment to keep the conversation going.
💥 P.S. If you found this post helpful, please restack it and share it with your friends, family and audience.
This helps spread the words and keeps us writing content that will help you bolster your privacy and become a harder target.
Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics. We’re also now on Rumble and YouTube. Subscribe today to be notified when videos are published.
Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy attorney with 15+ years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity.
Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.
Check out our Personal Privacy Stack here. It’s a simple, easy way to De-Google your life.
Check out our Virtual Bookshelf here.
AI scams are here and getting more sophisticated. One of the best things you can do to protect yourself is to remove your personal information from Google and the data broker sites. That starves the scammers of vital information, making you a much harder target. You can DIY, or pay a reasonable fee to DeleteMe to do it for you. Sign up today and get 20% off using our affiliate link here. We’ve used DeleteMe for almost five years and love it for the peace of mind. It’s also a huge time saver.
If you’re reading this but haven’t yet signed up, join the growing Secrets of Privacy community for free and get our newsletter delivered to your inbox by subscribing here 👇