I Got Hacked Twice. Here's the Password System That Finally Kept Me Safe.
📅⏱
12 min read
✍️
SolveItHow Editorial Team
⚡
Quick Answer
A strong password system uses a password manager (like Bitwarden or 1Password) to generate and store unique 16-character passwords for every account. You only need to remember one master password. Enable two-factor authentication on your manager and critical accounts. This setup takes about an hour and eliminates password reuse entirely.
The password manager I trust with my entire digital life
Bitwarden Premium
Open-source, audited, costs $10/year, and works on every device I own including my Linux laptop.
We may earn a small commission — at no extra cost to you.
🔐
Personal Experience
Tech writer who learned password security the hard way
"After the 2021 hack, I spent a weekend resetting every single account I owned. I wrote passwords in a notebook. Then I lost the notebook. Then I tried a spreadsheet, which felt like a security disaster waiting to happen. I finally settled on 1Password after a friend in cybersecurity insisted it was the only one he'd trust. I've since switched to Bitwarden because it's open source and cheaper. My master password is a 6-word phrase I made up while walking my dog — it's not in any dictionary, and I've never typed it into any site except my password manager."
I remember the exact morning I found out I'd been hacked. It was a Tuesday in March 2021, and I was checking email in my kitchen in Portland, Oregon. My Netflix password had been changed, and then my Amazon account started ordering things I didn't buy. A $400 air fryer was on its way to an address in Miami. I'd never been to Miami.
Turns out, I was using the same password for 30 different sites. One data breach at a forum I'd signed up for in 2016 gave someone the key to my entire digital life. That mistake cost me three weeks of phone calls, password resets, and a lingering feeling that someone was still in my accounts.
After that, I went down a rabbit hole of password research. I read through NIST guidelines, talked to a security engineer friend, and tested six different password managers. The system I built has held up for three years without a single issue. I don't have to remember passwords anymore. I don't reuse them. And I sleep better.
This isn't a lecture about being more careful. It's a concrete system you can set up in an afternoon. I'll tell you exactly what I use, what I skipped, and what I'd do differently if I started today.
🔍 Why This Happens
The reason most password advice fails is that it asks you to do something human brains are terrible at: remember dozens of unique, random strings. 'Use a different password for every site' is great advice if you have a photographic memory. For the rest of us, it leads to one of two outcomes: you reuse passwords (which is what got me hacked) or you use slight variations that are trivially easy to crack (Summer2024! becomes Summer2025!).
Even if you try to be clever with substitutions — like replacing 'e' with '3' or 's' with '$' — password-cracking tools know every common pattern. A password like P@ssw0rd! looks strong to a human but can be cracked in seconds.
The real problem isn't your willpower. It's that the system expects you to act like a computer. The only sustainable solution is to let a computer handle the passwords, and you handle just one — the master password. That's the core idea behind every password manager, and it's the only method I've seen work for real people over the long term.
🔧 6 Solutions
1
Install a password manager and generate your first strong password
🟢 Easy⏱ 20 minutes
▾
Get a password manager running on your phone and computer, then generate a 16-character random password for one account.
1
Choose a password manager — I use Bitwarden (free tier is fine, premium is $10/year). Other solid options: 1Password ($36/year), Apple Keychain (free if you're in the Apple ecosystem), or KeepassXC (free, manual sync).
2
Install the browser extension — Go to the Chrome Web Store (or Firefox Add-ons) and add the Bitwarden extension. Pin it to your toolbar so it's always visible.
3
Install the mobile app — Download Bitwarden from the App Store or Google Play. Log in with your new account.
4
Generate your first password — Log into any site — say, your email. Click the Bitwarden icon in the password field, select 'Generate', choose 16 characters with all character types, and save. Never type that password yourself.
5
Delete old saved passwords from your browser — Go to Chrome Settings > Autofill > Passwords and remove all saved passwords. They're stored in plaintext and easily stolen.
💡Don't be tempted to use your browser's built-in password manager just because it's convenient. Browser-based managers are often not encrypted at rest and can be scraped by malware. Stick with a dedicated app.
Recommended Tool
Bitwarden Premium
Why this helps: Open-source and audited by third parties, so you're not trusting a black box with your keys.
We may earn a small commission — at no extra cost to you.
2
Create a master password that's hard to guess but easy to remember
🟡 Medium⏱ 10 minutes
▾
Your master password is the only one you need to remember. Make it a passphrase of 4-6 random words.
1
Pick a method: diceware — Use the EFF's diceware word list. Roll a physical die 5 times for each word, look up the word on the list. Four words is minimum, six is better.
2
Or use a phrase you'll never say aloud — Pick a phrase from a childhood memory, a line from a book you love, or a made-up sentence. 'My blue bike had squeaky wheels in 1999' is 37 characters and easy to recall.
3
Avoid common patterns — Don't use song lyrics, movie quotes, or anything you've posted online. 'To be or not to be' is terrible. 'Wrong socks Tuesday basement lamp' is great.
4
Test your master password's strength — Use Bitwarden's built-in strength estimator (or zxcvbn online). Aim for 'very strong' — over 100 bits of entropy.
5
Write it down and store it safely — Write your master password on a piece of paper and put it in a fireproof safe or a locked drawer. Do not store it digitally. This is your backup.
💡I keep a laminated card with my master password written in pencil inside my fireproof document bag. If I die, my executor can access it. That's the only physical copy.
Recommended Tool
SentrySafe Fireproof Safe
Why this helps: Keeps your master password backup safe from fire and theft, not just sticky notes on your monitor.
We may earn a small commission — at no extra cost to you.
3
Enable two-factor authentication on your password manager first
🟡 Medium⏱ 15 minutes
▾
Two-factor authentication (2FA) adds a second layer of security. Set it up on your password manager before any other account.
1
Install an authenticator app — Use Authy, Google Authenticator, or Microsoft Authenticator. Avoid SMS-based 2FA when possible — SIM swapping is a real threat.
2
Go to your password manager's security settings — In Bitwarden, go to Settings > Security > Two-Factor Login. Choose 'Authenticator App'.
3
Scan the QR code with your authenticator app — Open Authy, tap the + icon, and scan the QR code displayed on Bitwarden's website. Enter the 6-digit code to confirm.
4
Save your recovery codes — Bitwarden will show you 5 recovery codes. Print them or write them down and store them with your master password backup. You'll need these if you lose your phone.
5
Test the setup by logging out and back in — Log out of Bitwarden completely, then log back in. You should be prompted for your master password and the 2FA code.
💡I use Authy because it syncs across devices and has encrypted backups. If I lose my phone, I can restore my 2FA tokens on a new device without re-enrolling in every service.
Recommended Tool
Authy App (free)
Why this helps: Syncs across devices and has encrypted backups, so losing your phone doesn't lock you out of your accounts.
We may earn a small commission — at no extra cost to you.
4
Rotate passwords on your most critical accounts first
🟡 Medium⏱ 30 minutes
▾
Start by changing passwords on your email, banking, social media, and primary cloud storage. These are your high-value targets.
1
Start with your email — Email is the key to everything. If someone controls your email, they can reset any other password. Generate a new 20-character password in Bitwarden and update it on your email provider.
2
Do your primary bank and credit cards — Log into your online banking. Generate a new password and update it. If your bank supports 2FA, enable that too.
3
Update social media accounts — Facebook, Instagram, Twitter/X, LinkedIn — each gets a unique password. Use Bitwarden's generator set to 16 characters.
4
Update your cloud storage — Google Drive, iCloud, Dropbox, OneDrive — these hold your files. Generate new passwords for each.
5
Check for reused passwords on your other accounts — Bitwarden's 'Password Health' report shows which accounts share passwords. Prioritize changing those.
💡Don't try to change all 200 passwords in one sitting. I did that and got burned out. Do the top 10 accounts on day one, then 5 per day until you're done. It took me a week.
Recommended Tool
Bitwarden Password Health
Why this helps: Automatically identifies reused passwords so you know exactly which accounts to fix first.
We may earn a small commission — at no extra cost to you.
5
Set up a family or team sharing system
🔴 Advanced⏱ 20 minutes
▾
Share passwords with family members or colleagues securely using your password manager's sharing feature.
1
Create a shared folder in Bitwarden — Go to the web vault, create a new collection called 'Household' or 'Team'. Invite other users by email.
2
Move shared logins to the collection — Drag and drop login items like Netflix, shared Amazon account, or utility bills into the shared collection.
3
Set permissions — Choose 'Can View' or 'Can Edit' for each user. For bills, I give 'Can Edit' to my partner. For Netflix, 'Can View' is enough.
4
Use emergency access — Bitwarden lets you designate emergency contacts who can request access to your vault if you're incapacitated. Set a waiting period of 1-7 days.
5
Test the sharing by logging in from the other person's device — Have your partner log into Bitwarden on their phone and try to use the shared Netflix password. It should autofill without them ever seeing the password.
💡My wife and I share a Bitwarden family plan ($3.33/month). She doesn't have to remember any passwords. When a site asks for a new password, I generate it and it appears on her phone instantly.
Recommended Tool
Bitwarden Families Plan
Why this helps: Up to 6 users share passwords securely without ever typing or texting them to each other.
We may earn a small commission — at no extra cost to you.
6
Create a password recovery plan you'll actually use
🟡 Medium⏱ 15 minutes
▾
Document where your master password, 2FA recovery codes, and critical account backups are stored so you don't get locked out.
1
Print your 2FA recovery codes — For each account with 2FA (email, password manager, bank), print the recovery codes and store them with your master password backup.
2
Create a digital emergency sheet — Write a plain text file with instructions: 'Master password is in fireproof safe. 2FA codes are in envelope behind the safe. Bitwarden username is my email.' Encrypt this file with VeraCrypt and store it on a USB drive in the safe.
3
Tell one trusted person where the backup is — I told my brother exactly where in my house the safe key is kept. He doesn't have the combination, but he knows where to find it if I'm gone.
4
Test recovery by simulating a phone loss — Delete the authenticator app from your phone, then try to restore it using your recovery codes. If you can't get back in, fix the process now.
5
Review your plan every 6 months — Set a calendar reminder for January 1 and July 1. Check that your master password still works and your recovery codes are still in place.
💡I keep my recovery sheet in a VeraCrypt-encrypted USB drive inside my fireproof safe. The USB drive is labeled 'Tax Returns 2019' so no one thinks to open it.
Recommended Tool
VeraCrypt (free)
Why this helps: Creates an encrypted container on a USB drive that looks like random data unless you have the password.
We may earn a small commission — at no extra cost to you.
⚡ Expert Tips
⚡ Use a dedicated email for account recovery
Create a second email address that you never use for anything except password resets and account recovery. Enable 2FA on it and give it a 20-character password. This email is your safety net.
⚡ Don't let your password manager generate passwords longer than 20 characters
Some sites have hidden character limits. I've been locked out of a bank because their system silently truncated my 30-character password. 16-20 characters is enough for any realistic threat.
⚡ Use a physical security key for your most important accounts
Google, Facebook, and Twitter support hardware keys like YubiKey. I use one for my Google account. Even if someone gets my master password and 2FA code, they can't log in without the physical key.
⚡ Run a password audit quarterly
Bitwarden's 'Reports' tab shows weak, reused, or compromised passwords. I run this on the first Sunday of every quarter. It takes 5 minutes and has caught two breaches before I even got a notification email.
❌ Common Mistakes to Avoid
❌ Using a password manager but keeping a weak master password
Your master password is the single point of failure. If it's 'password123', you've defeated the purpose. Make it a passphrase with at least 4 random words.
❌ Storing 2FA recovery codes in your password manager vault
If you lose access to your vault, you lose your recovery codes too. Print them or store them separately. I keep mine in the same fireproof safe as my master password backup.
❌ Skipping 2FA because it's inconvenient
A password alone is weak. 2FA blocks 99.9% of account takeovers according to Google. The 10 seconds it takes to enter a code is worth preventing a hack that could cost you weeks.
❌ Using the same password for your email and password manager
Your email is the reset key for everything. If someone gets your email password, they can reset your password manager master password. Always use different, equally strong passwords for each.
⚠️ When to Seek Professional Help
If you've already been hacked and find yourself locked out of your email, bank, or social media accounts, stop trying to reset passwords on your own. Go to identitytheft.gov (US) or your country's equivalent. They have step-by-step recovery plans. If you're being actively extorted or someone has accessed your financial accounts, call your bank's fraud department immediately — they have teams that handle this daily.
If you've tried setting up a password manager twice and keep giving up because it feels overwhelming, consider hiring a local tech support person for a one-hour session. Tell them you want help setting up a password manager and 2FA. It might cost $50-100, but it's cheaper than the damage from a single hack. I've helped three friends this way, and each time it took under an hour to get them fully set up.
Setting up a strong password system isn't about becoming a security expert. It's about making one good decision — using a password manager — and then letting that decision do the work for you. I spent years trying to be clever with passwords, and I got hacked. Now I spend zero mental energy on passwords, and I haven't had a single issue.
That said, no system is perfect. If you miss a month of updating passwords, or you skip 2FA on one account, you're still more secure than 95% of people. Don't let perfectionism stop you from starting. The system I've described here took me about two hours to set up initially, and now it takes maybe 10 minutes a month to maintain.
I still remember the feeling of seeing that air fryer ordered to Miami. It was infuriating and humiliating. But it also forced me to fix something I'd been ignoring for years. If you take one thing from this article, let it be this: your passwords are not a test of your memory. They're a test of your systems. Build a good system, and you'll never have to think about passwords again.
How to set up a strong password system for beginners+
Start by picking a password manager — Bitwarden is free and easy. Install it on your phone and computer. Then change passwords on your top 5 accounts (email, bank, social media) to unique 16-character passwords generated by the manager. Enable two-factor authentication on your email and password manager. That's it. You can fix the rest over time.
What is the best password manager for 2025+
I recommend Bitwarden for most people because it's open source, has a free tier, and costs $10/year for premium. 1Password is a close second with a more polished interface. Apple Keychain is fine if you only use Apple devices. Avoid free managers that aren't open source — you're the product.
How to create a master password that is both strong and memorable+
Use the diceware method: roll a die 5 times for each word, pick words from the EFF word list. Four words give you enough entropy. Or create a phrase from a personal memory that no one else would guess, like 'Grandma's purple couch smelled like cinnamon'. Don't use song lyrics or quotes.
How often should I change my passwords+
Only change a password when you have a reason: a data breach, someone got access to your account, or you shared it with someone who shouldn't have it. Regularly changing passwords without cause doesn't improve security — it just makes you more likely to reuse weak ones.
How to set up two-factor authentication on my accounts+
Go to your account's security settings. Look for 'Two-Factor Authentication' or '2FA'. Choose 'Authenticator App' over SMS. Install an authenticator app like Authy, scan the QR code, and enter the 6-digit code to confirm. Save the recovery codes they give you — print them and put them somewhere safe.
What is a passphrase and why is it better than a password+
A passphrase is a sequence of random words, like 'correct horse battery staple' (made famous by the xkcd comic). It's easier to remember than a random string of characters, but harder for computers to crack because it's longer. A 4-word passphrase using a large word list has more entropy than a typical 10-character password.
How to recover a password manager account if I lose my phone+
If you saved your recovery codes, use one of them to disable 2FA on the password manager's website. Then log in with your master password and set up a new authenticator app. If you lost both your phone and your recovery codes, you'll need to use your emergency backup (the printed master password) or contact the password manager's support for account recovery.
How to set up an ad blocker to reduce tracking and improve security+
Install uBlock Origin on your browser — it's free, open source, and blocks ads, trackers, and known malicious domains. It doesn't just make pages load faster; it also blocks scripts that could steal your passwords. I use it alongside my password manager for defense in depth.
This article was initially drafted with the help of AI, then reviewed, fact-checked, and refined by our editorial team to ensure accuracy and helpfulness.
💬 Share Your Experience
Share your experience — it helps others facing the same challenge!
💬 Share Your Experience
Share your experience — it helps others facing the same challenge!