Passwords; we all have them. If you’ve been using the internet for any length of time, you probably have passwords for dozens, if not hundreds, of different websites. Because we all use passwords so often, it’s easy to forget that hackers and cybercriminals are waiting for us to slip up on our password security.
Sometimes, a compromised password can mean ending up in a mildly embarrassing but otherwise harmless situation, like a forgotten social media account that starts to send spam messages to all your contacts. Other times, the consequences can be much more serious, particularly if the hacker gains access to your financial accounts or sensitive information you have stored in your email account or cloud storage.
The good news is that with a few simple steps, you can dramatically reduce the risk of having your online accounts compromised.
What’s the big deal about passwords?
Every time you log in to a website or app, you are answering two questions: “Who are you?” and “How can you prove it?”
“Who are you?” is an easy question to answer. Typically, that means providing the email address, phone number, or username you provided when you signed up for an account. But email addresses aren’t exactly a secret—we give them out any time we want to send a message to someone!
That’s why you’re also asked to provide what’s known as an “authentication factor,” which is something you know (like a password), something you have (like an authenticator or security key), or something you are (like a fingerprint). The most common authentication factor used today is the password, which is why I wrote this blog post.
Passwords are meant to be a secret known only to you and the website or app you’re logging into. But if someone else knows the password, it’s pretty easy for them to log in as you. And that’s where most of us get into trouble.
Hackers vs. Passwords
While hackers often seem like a mysterious shadowy force for evil, the truth is that they’re just people like the rest of us—and like anyone else with a job, they’re always looking for ways to make their work more efficient.
Frequently, the first thing a hacker will try to do is see if you picked a commonly used password. According to CyberNews, the top password that people pick is “123456”. If that’s your password today, then I have some bad news for you: that’s the first thing hackers will try when attempting to break into your account! Game over.
If that doesn’t work, hackers will often turn to a technique known as “credential stuffing.” Over the years, billions of email/password combinations have been leaked or hacked from various websites, and many people use the same combination across multiple websites. So if you have an account on Website A, and use the same email address and password combination on Website B, then any hacker who successfully manages to compromise Website A has everything they need to access your account on both websites. You can check to see if your email and password have been exposed in a known data breach using free services like HaveIBeenPwned.
How to pick a strong password
To avoid the bad outcomes described above, all your passwords should meet these criteria:
- They should be unique. Every website and application should get its own password that you don’t use anywhere else.
- They should be entirely random. Don’t use any personal information, such as names or dates of birth.
- They should be at least 16 characters long. This makes it harder for a hacker to guess them or use a brute-force attack.
If that sounds incredibly difficult to you, you’re not alone! No human can remember enough passwords to keep themselves safe online. The good news is that there are a number of tools that not only make it easier to manage all your logins, but also free up your memory for more important things like birthdays and weekend plans.
I strongly recommend using a password manager like 1Password, LastPass, or Dashlane. These tools are built specifically for managing and securing passwords, and have cross-platform applications so your passwords can safely come with you no matter what device you use. If you don’t want to use a password manager, an offline physical password notebook works too, as long as you keep it in a safe place. The only practice to avoid is storing passwords in your email, cloud storage, or online notes.
The bottom line
Passwords can often feel like a pain to manage—and they are! But they’re still really important to manage correctly, to make sure hackers can’t invade your digital life. By understanding how hackers typically operate, and using a safe password storage tool like a password manager or offline notebook, you will have significantly improved your online security and can sleep a little bit easier at night.
Publisher’s note: Evernote takes account security very seriously. We strongly recommend all our customers follow the advice in this article, plus take the extra precaution of enabling two-step verification on your Evernote account and wherever possible. We thank the author for his contribution on this very important topic.

Matt Muller is the Director of Security Operations at Coinbase, one of the largest cryptocurrency platforms in the world. He enjoys nothing more in the world than making fraudsters feel frustrated, but a good wine and cheese pairing comes in as a pretty close second.