Nobody guesses passwords anymore. That mental image, a hacker at a keyboard trying your dog's name, is twenty years out of date, and it quietly shapes a lot of bad security decisions. The real attack is duller and far more effective, and it is aimed at a habit, not a person.
The combo list
When breaches leak, the email-and-password pairs inside them get extracted, merged, and compiled into what the trade calls combo lists: enormous text files of credentials from years of breaches, deduplicated and sorted for convenience. These circulate cheaply. Some are simply free.
Credential stuffing is what happens next. Software takes the list and tries every pair against the login pages of banks, email providers, retailers, and streaming services, thousands of attempts per minute, spread across networks of hijacked devices so no single source looks suspicious. No cracking, no guessing, no skill. Just a question asked at industrial scale: does this old key fit this other door?
For most people, at least one old key does.
Strong but reused is still broken
Here is the part that surprises careful people. Suppose your password is genuinely excellent: eighteen characters, symbols, no dictionary words. You were diligent. You used it everywhere, because it is a pain to remember and it is a good password, so why not?
Then one site you used it on gets breached and stores passwords badly, and your excellent password is now plaintext in a combo list next to your email address. Its strength no longer matters at all. Every account that shares it is open. The vulnerability was never the password. It was the sharing.
Variants do not save you either. Adding a "1", appending the site's name, swapping an o for a zero: stuffing tools apply those mutations automatically, because everyone reaches for the same tricks.
A password's job is to contain damage, not just resist guessing. One password per account means one breach costs you one account. Reuse means one breach costs you everything that shares the key.
What actually makes a password strong
Length beats cleverness. Current guidance from NIST, the US standards body, favors long passphrases over short complex strings, and drops the old advice to change passwords on a schedule. A four-word phrase like copper daylight harbor sixteen is easier to type, easier to remember, and takes vastly longer to crack than Tr0ub4dor! style substitutions that cracking software has understood for decades.
But do not miss the order of importance: unique first, long second. A merely decent password that exists nowhere else beats a magnificent one you have used on five sites.
The honest problem: nobody can remember sixty unique passwords
This is where the advice usually collapses. You have somewhere between fifty and two hundred accounts. Unique passphrases for all of them is not a memory task any human should attempt, and pretending otherwise is why people quietly go back to reusing.
There are exactly two workable answers. A password manager, which remembers everything and generates a fresh key per site. Or, for a small number of critical accounts, passkeys, the newer standard that replaces passwords entirely with a cryptographic exchange your device performs. For everything in between, the manager is the practical answer, and the objections to it deserve an honest hearing, which is what the next guide does.
Which of your passwords are already in circulation?
Our free scan shows which known breaches contain your email and whether passwords were among the data taken.
Run the Free Breach Scan →