I Almost Got Compromised Because of My Passwords. Here's What I Changed.
I almost got compromised… because of my passwords. And it made me question everything we've been taught.
Remember the 'rules'? At least 12 characters, 1 uppercase, 1 number, 1 symbol, change every 90 days, never write them down.
👉 Spoiler: a large part of these practices is outdated.
Here is what best practices recommend today — inspired by NIST.
📌 Myths vs Best Practices (NIST)
Artificial complexity
"Tr0ub4dor&3"
Hard to remember, predictable for attackers
Length > complexity
"correct horse battery staple"
Longer, far more resistant to brute force
Forced rotation every 90 days
Pushes users to recycle weak variants (+1, +2…)
Change only when at risk
Suspected compromise or confirmed data leak
Security questions
Maiden name, city of birth…
Easily found via social media and OSINT
MFA everywhere
TOTP, hardware key, passkey
Essential today on all sensitive accounts
Memorising all passwords
Impossible for dozens of unique passwords
Password manager
Bitwarden, 1Password, KeePass
Long, unique passwords generated automatically
🗝️1. Password Manager
👉 Bitwarden (free & open source) recommended.
- Generates long, unique passwords
- Encrypted storage with a single master password
- Available on all your devices
📱2. MFA on All Sensitive Accounts
👉 Email, banking, cloud, social media — top priority.
- TOTP app (Aegis, Authy, Microsoft Authenticator)
- Hardware key (YubiKey) for critical accounts
- Avoid SMS if possible (SIM swapping risk)
🔍3. Check Your Exposure
👉 haveibeenpwned.com — free and reliable.
- Enter your email to see known leaks
- Enable alerts for new breaches
- Immediately change exposed passwords
80%+
of breaches involve credentials
Password reuse, database leaks, credential stuffing
Source: Verizon DBIR 2025
Millions of accounts are leaked every month. Check your exposure on haveibeenpwned.com — it's free and takes 30 seconds.
🎯 15 Minutes Tonight — Done
👉 15 minutes = years of peace of mind
- 1Install a password manager (Bitwarden recommended)
- 2Secure your main email with a long, unique password
- 3Enable MFA on your email, bank and social media accounts
🧠 Key Takeaway
Nobody can memorise dozens of unique and complex passwords.
And that's perfectly normal.
The solution is not to force yourself to memorise — it's to use the right tools.
✔ Length > artificial complexity
✔ Password manager = the standard today
✔ MFA = the most effective line of defence after the password
Do you already use a password manager… or not yet? What is holding you back?
Need personalised guidance?
NagaShield Security helps you implement these measures concretely, tailored to your organisation and budget.
Request a free diagnostic