Your Quick Password Security Checklist for 2026

Updated on May 4, 2026

I have a confession: three years ago, I used the same password for my email, my bank, and a pizza delivery app. The pizza app got breached. You can guess what happened next.

Password security advice gets repeated so often it becomes white noise. So instead of another lecture, here is an actual working checklist — the kind you can print, pin to your monitor, and tick off one item at a time. No fluff, no scare tactics, just things that genuinely move the needle in 2026.

Part 1: Generation — Making Passwords That Can't Be Guessed

☐ Use a password generator, not your brain

Human beings are terrible at randomness. We gravitate toward words, dates, names of pets, and patterns on the keyboard (looking at you, Qwerty123!). A proper password generator has no nostalgia, no patterns, no clever tricks — just entropy.

Good options in 2026: Bitwarden's built-in generator, 1Password's generator, or the open-source KeePassXC if you prefer everything local. Even the generator at random.org beats anything your brain produces.

☐ Aim for at least 16 characters — preferably 20+

Length beats complexity every single time. A 20-character random string takes orders of magnitude longer to crack than an 8-character "complex" password with symbols. Set your generator minimum to 16 characters and never look back. For anything sensitive — email, banking, your password manager itself — push to 20 or higher.

☐ Use passphrases for things you must type manually

There are a handful of passwords you'll actually need to type: your computer login, your password manager's master password, maybe a work VPN. For those, a passphrase is more practical. Four or five random words strung together — something like marble-tunnel-frost-decal — is both memorable and genuinely strong. Avoid phrases from songs, quotes, or anything meaningful to you personally.

☐ Never reuse a password — not even a "base + variation" trick

Adding !1 to the end of your favourite password for each new site doesn't fool anyone — especially not automated credential-stuffing tools, which know every variation trick. Every account gets a unique, generated password. That's the whole point of a password manager.

Part 2: Storage — Where Your Passwords Actually Live

☐ Pick exactly one password manager and commit to it

The password manager market has matured. In 2026, there's genuinely no excuse for storing passwords in a browser notes folder or a sticky-notes app. The main contenders: Bitwarden (open-source, free tier is excellent), 1Password (polished, great for families/teams), and Proton Pass if you're already in the Proton ecosystem. Pick one. Use it everywhere.

☐ Protect your password manager with a strong master password + TOTP

The master password to your vault is the most important credential you own. It should be a passphrase you've memorised — 5-6 random words, never written down digitally anywhere, never shared. Then layer a TOTP authenticator on top (more on that below). If someone gets your master password but not your TOTP, they still can't get in.

☐ Enable vault sync but also keep an encrypted export

Cloud sync means your passwords are available everywhere, which is great until the service goes down or you lose access to your account. Export your vault quarterly, encrypt the file with a tool like VeraCrypt or 7-Zip AES-256, and store it somewhere offline — a USB drive in a drawer is fine. Not glamorous, but you'll be grateful if something goes wrong.

☐ Audit saved passwords for duplicates and weak entries

Every major password manager has a built-in audit or "Watchtower" feature. Open it, look at the list of reused or weak passwords, and replace the worst offenders first — email accounts, banking, anything with a saved payment method. You don't have to fix everything in one sitting. Set aside 20 minutes a week until you're clean.

Part 3: MFA — The Safety Net When Passwords Fail

☐ Enable MFA on every account that offers it

Multi-factor authentication is the single most effective security upgrade you can make right now. Even a weak password becomes dramatically harder to abuse if an attacker also needs a rotating code from your phone. Go through your accounts — email, cloud storage, banking, social media, work tools — and turn MFA on wherever the option exists.

☐ Use an authenticator app, not SMS, wherever possible

SMS-based 2FA is better than nothing but it's vulnerable to SIM-swapping attacks, which are annoyingly common. Authenticator apps like Aegis (Android, open-source), Raivo (iOS), or Authy store TOTP codes locally and don't depend on your phone number. Migrate SMS accounts to TOTP wherever the site allows it.

☐ Store backup codes somewhere safe

When you enable TOTP on an account, you'll be given a set of one-time backup codes. Don't skip this step and don't save them in a notes app. Print them or add them as a secure note inside your password manager alongside the account entry. You'll need them the day you lose your phone — and that day will come.

☐ Consider a hardware security key for high-value accounts

For your primary email, your password manager, and any account with financial access, a physical hardware key (like a YubiKey 5 or a Google Titan) adds another layer that is essentially unphishable. These are no longer niche security-researcher tools — they're consumer products, cost around $50, and are worth it if you're protecting anything important.

Part 4: Breach Monitoring — Knowing Before Damage Is Done

☐ Check Have I Been Pwned right now

Go to haveibeenpwned.com and enter your email addresses — all of them. The site cross-references your email against hundreds of known data breach dumps. If you see hits, change the affected account's password immediately and check whether the breached data included your password (even if it was hashed, change it).

☐ Set up automatic breach alerts

HIBP has a free notification service: you enter your email and get alerted whenever it shows up in a new breach. Take five minutes to sign up. Similarly, Firefox Monitor, Google's Password Checkup, and most password managers now monitor breaches automatically in the background and surface alerts in-app. Make sure these notifications are turned on and that you're actually reading them.

☐ Use the password strength checker built into your manager

Standalone password strength meters (the little green bar on a signup form) are mostly theatre — they measure pattern complexity, not real-world crackability. Your password manager's strength report is more meaningful because it considers whether a password has appeared in breach databases, not just whether it has a capital letter and a number.

☐ Watch for credential stuffing signs on your accounts

Login notifications from unusual locations, password reset emails you didn't request, or sessions you don't recognise in your account history — these are signs someone has your credentials and is trying to use them. If you see any of these, treat it as an active incident: change the password, rotate any API keys, check for unauthorised changes, and verify MFA is still your device only.

Part 5: Habits — The Stuff That Actually Sticks

☐ Run a security review every quarter

Schedule it. First day of the new quarter, spend 30 minutes: check the password manager audit report, look at breach notifications, rotate any passwords flagged as old or weak, review which apps have access to your Google/Apple account, and verify your recovery email and phone number are current. Quarterly is often enough; never is not.

☐ Never use "Sign in with Google/Apple" for anything critical

SSO shortcuts are convenient but they concentrate risk. If your Google account is compromised, every service you've SSO'd into is compromised too. Use SSO for throwaway signups, not for services where you store real data or payment info.

☐ When a service is breached, don't wait for them to tell you

Companies underreport and under-notify. By the time you receive a "we've detected unusual activity" email, your credentials may have been circulating for months. Set a habit: if you hear about a breach at a service you use, proactively change your password that same day — don't wait for an official prompt.

The Short Version

If you're overwhelmed by the list, here's the minimum viable version: install a password manager, let it generate a unique password for every new account, turn on TOTP MFA for your email and your password manager, and check HIBP once. Do just those four things and you're already ahead of most people.

The rest of the checklist is for raising the ceiling. Work through it at your own pace, one item per session. Security isn't a single afternoon project — it's a series of small decisions that compound over time. Start today, even if you only tick one box.