Password advice used to sound like a punishment: add a capital letter, throw in a symbol, change it every 90 days, and somehow remember all of it. These days, the better advice is a lot simpler. Make your passwords long. Make them unique. And stop trying to win with little tricks like swapping “a” for “@” and calling it good. NIST’s current guidance emphasizes length and recommends at least 15 characters for single-factor logins. That is why passphrases work so well for everyday people. A few unrelated words are usually easier to remember and much harder to crack than a short “complex” password.
The Common Mistake
The biggest mistake I still see is reuse. One decent password copied across 10 sites is still a bad setup. If one small shopping site or old forum gets breached, attackers will try that same email-and-password combo everywhere else. NIST specifically recommends unique passwords for all accounts, and both NIST and OWASP recommend password managers as the practical way to make that happen. A password manager can generate long random passwords and remember them for you, which is a lot better than trying to keep a mental list of 80 logins.
Password Managers
If you use a password manager (and you really should), the one password that really matters is the master password. Make that one a long passphrase you can remember without much effort, but nobody else could guess. Think less “DallasCowboys2026!” and more a string of random words you would not normally put together. NIST’s guidance for users says a long passphrase is a good fit for a password manager master password, and one that tracks with real life. You want something memorable, not something built from your birthday, your pet’s name, or a favorite sports team that half your Facebook friends already know.
Multi-factor Authentication
Also, turn on multi-factor authentication anywhere it is offered, especially for email, banking, shopping, and social media. Passwords still matter, but they should not be carrying the whole load by themselves. OWASP says MFA is one of the best defenses against common password attacks like credential stuffing and password spraying. Their guidance even cites Microsoft’s analysis that MFA would have stopped 99.9% of account compromises. That is a pretty strong argument for spending the extra 10 seconds on setup.
One Last Thing
You probably do not need to change passwords just because the calendar says so. Modern guidance from OWASP, aligned with NIST, says not to force arbitrary periodic password changes. Change a password when there is a reason: a breach notice, a suspicious login alert, malware on your device, or the realization that you reused it somewhere else. Otherwise, people tend to make lazy updates like changing “Summer2025!” to “Fall2025!” which feels different but is still predictable.
The Nitty-Gritty
So, the plain-English version is this: use a password manager, let it create unique passwords for every site, make your master password a long passphrase, and add MFA wherever you can. It is not flashy advice, but honestly, it is the stuff that saves people the most trouble later.
