If you have some spare time this weekend, you may want to spend a bit of time on Password housekeeping, as the largest ever leak of 16 Billion passwords has just occurred.
Passwords from Apple, Google, Facebook, LinkedIn and many major websites have been compromised. So, it’s almost 100% likely that at least one of the passwords you use on a regular basis is now floating around waiting for someone to use it.
Password hygiene might involve putting passwords into a Password Manager, seeing which ones have been compromised, generating new hard to crack and unique passwords for each website you use, as well as setting up 2-Factor Authentication and Passkey Logins for critical websites like Internet banking.
With our entire lives now online and in the cloud, the only thing that stands in the way of someone having access to everything you own is just a password away.
For example:
My whole life in photos (public and private) resides in Apple iCloud
All my money is in my internet banking accounts
My personal and commercially sensitive computer files are online in my Dropbox
My communication is online via my Email, FB Messenger, Telegram accounts
What has happened?
The largest data breach in history involves 16 billion login credentials
The records are scattered across 30 different databases, and some records are or might be overlapping
The data most likely comes from various infostealers
The data is recent, not merely recycled from old breaches
Cybercriminals now have unprecedented access to personal credentials and could exploit them for account takeovers, identity theft, targeted phishing attacks, and more
Rather than repeating the same information that many websites will provide on the actual details of the hack, here are a couple of external links to the story if you want to read more in depth.
How I manage my own passwords, based on 30 years experience in IT, follows below.
The three factors of authentication
If you want to secure something, whether it’s your email account or your front door, there are only three ways to do it:
With something that you KNOW (Like a password)
With something that you HAVE (like a physical key, or your cellphone with you)
With something that you ARE (like your retina or your fingerprint)
The problem with passwords, is that it’s only one of those things, and as soon as someone else knows what you know, then they can access your stuff.
That’s why security is slowly moving beyond just passwords to Multi-Factor Authentication (MFA), so that even if someone knows your password, they can’t access your stuff unless they have one of the other dimensions of security as well (such as your phone to receive a txt one time code).
The Evolution of Password security on the Internet
If you were on the Internet in the mid 1990’s like me, passwords were pretty simple
In the 1990’s Most people started out having a single password for connecting to your ISP and your email. It was probably a single word, something like your pets name, your spouses name, something easy to type and remember and re-used in 2-4 locations. Perhaps your password was just “password”. It didn’t need to be particular complex as there just wasn’t that much hacking going on.
In the 2000’s Once a few more services and websites started popping up like Amazon, Bebo, Myspace and Gmail, your password started being used in 10-20 places rather than 2-4 places. Due to a few websites and people getting hacked, online services started asking you to add a capital letter and a number to your password, so naturally your password became “Password1”, or “GirlfriendsName69”.
In the 2010’s, as money started moving online and more was at stake, companies started asking for “12 characters, mix of upper and lower case, a symbol etc”, so then your password became “Pa55w0rd1!!”.
In the 2020’s, once your money was online, and perhaps your confidential company files, passwords started to become not good enough for critical services. that’s when things like Key fob tokens, and TXT one time codes for 2 Factor Authentication started to become common.
In 2025, there are now so many data breaches, and automated hacking tools are becoming so fast and powerful, that the lowly password is becoming highly compromisable. Many websites are rolling out 2 Factor Auth as mandatory, which can be annoying, but luckily Passkey technology is being rolled out by all the big players, which seeks to make passwords obsolete. Until Passkeys are used everywhere though, we are going to have to choose and manage secure passwords.
Using a password manager
If you’re still using the same password for every internet service you have, or you write down all your passwords in a paper notebook, it’s time to evolve, as that just won’t cut it anymore.
A Password Manager is a software program on your phone and computer (and usually both) that performs several useful functions
You only need to remember one password - the password or fingerprint for your password manger, and then your password manager remembers and securely stores all your other passwords for you
Password managers can generate unique, long, secure passwords for each one of your websites, so that one compromised password doesn’t mean that someone can get into every internet service you have a login for.
Password managers can generate Passkeys and One Time Passwords, which are more secure than just passwords by themselves
Password managers will generally allow you to share passwords with friends, family and co-workers as needed
For years I used a program called 1Password - which is very good, however they annoyed me when they started charging me monthly subscription fees, despite the fact that I’d long ago purchased a lifetime membership.
If you’re an Apple user, Apple recently released a standalone Password App for iPhone and Mac, that replaces the more basic “safari saved passwords”, and so I migrated everything into that. While not as feature rich as 1Password, it does everything I need and it’s included with Apple products.
You can see from the “security” alert section on my screenshot below, currently 195 of my ~500 passwords have been listed as compromised by Apple’s automatic “leaked passwords checking service”. A couple of weeks ago this was only 60 - So likely 150 or so of my passwords are in this new gigantic leak.
I regularly monitor my password manager for listed compromised passwords and then set about changing them. Generally I’m very quick to change my passwords if they are leaked for things like Facebook, but some barely used websites that pose no real security risk to me I can be sluggish.
If you’re a Microsoft / Android user, then you can use the free Google Password Manager, or choose a third party product. While I personally just use Apple Passwords, for my work, we use Keeper Password Manager, as it some enterprise features like being able to share passwords to other employees without revealing the actual password, revoking access for former employees etc.
Your Action Plan for Password Security
Use Unique, Complex Passwords for Every Site
Never reuse passwords across websites. Each password should be long, complex, and unique — ideally auto-generated by a password manager. Avoid simple words, names, or number patterns, as these can be easily cracked using brute-force attacks.Use a Password Manager
Store all your passwords in a reputable password manager that syncs across your devices (phone, tablet, laptop). This way, you’ll always have access to your logins when you need them — securely and conveniently.Monitor for Compromised Passwords
Most modern password managers will alert you if any of your passwords have been exposed in data breaches. If a password is flagged as compromised, change it immediately on the affected service.Enable Two-Factor or Passkey Authentication Everywhere
For critical accounts (banking, social media, cloud storage, etc.), enable 2FA (Two-Factor Authentication) or passkeys. This adds a second layer of protection, even if your password is compromised.Secure Your Email Account Above All Else
Your primary email is often the key to resetting other account passwords — treat it like your digital front door. Use your strongest, most secure password here and enable 2FA or passkeys. Losing access to your email could compromise dozens of connected services.Lock Down Your Mobile Number
Your phone number is a common target for account takeovers. To protect it:Make sure your mobile provider requires identity verification (e.g., sending you a code or asking security questions) before making changes to your account.
Preferably, be on a postpaid account, as prepay numbers are often easier to hijack.
If your number is stolen, attackers can intercept 2FA codes and password resets — so secure it like your email.
Use a Private Email for Password Resets (Advanced Users)
If you’re a public figure or at high risk of targeting, consider using a separate, private email address for account recovery. That way, if someone gains access to your public inbox, they can’t use it to reset all your other accounts.
Double security on Xero and Microsoft 365 . Can barely get into them and now IRd won’t let me in even my RealMe account.
Come on people 🙀😿
really helpful and timely advice