The annual Verizon Data Breach Investigations Report has made the same finding for over a decade: compromised credentials are involved in more than 80 percent of hacking-related breaches. This is not a sophisticated attacker problem — it is a password hygiene problem at massive scale. And the irony is that the technical solutions to this problem have existed for years, are free or nearly free to implement, and take an hour to set up properly.

Most people who have "heard they should use a password manager" have not actually done it. Most people who have "set up two-factor authentication" have done so for one or two accounts. This guide is not about awareness — it is about the complete, actionable setup that closes the most significant gaps.

Understanding the Actual Threat Model

Before optimising your security setup, it is worth being precise about what you are protecting against. The threat landscape for most individuals has three distinct components:

Credential Stuffing

The most common attack against personal accounts is credential stuffing: an attacker takes a list of username/password pairs from one breach (say, an old gaming site breach from 2019) and systematically tries them against other services (Gmail, banks, Amazon). If you reuse passwords, a breach at a low-security service compromises your high-security accounts automatically. This attack is automated, runs at scale, and does not require an attacker to target you specifically — you are just one record in a list.

The complete defence is simple: unique passwords for every account. This is the single highest-impact change most people can make to their security posture. A password manager makes this practical; without one, it is not.

Phishing

Phishing attacks — fake login pages that capture your credentials — have become significantly more sophisticated. AI-generated phishing emails are now nearly indistinguishable from legitimate communication. The defence against phishing is not better ability to spot fake emails; it is hardware security keys (passkeys) and FIDO2 authentication, which are inherently phishing-resistant because the authentication is cryptographically bound to the legitimate domain.

Targeted Account Takeover

Targeted attacks — where someone is specifically trying to access your accounts — are rare for most individuals but matter for people with significant public profiles, cryptocurrency holdings, or roles with privileged access to sensitive systems. For this threat model, the priority shifts to advanced two-factor authentication (hardware keys rather than SMS), account recovery security, and reducing the attack surface of linked accounts.

Step 1: Use a Password Manager

A password manager solves the credential stuffing threat entirely by making unique, random passwords trivial to use. The mental model that stops people from adopting them — "but then all my passwords are in one place" — misunderstands the threat model. The risk of a well-secured password manager vault being compromised is far lower than the risk of password reuse across dozens of accounts, because the vault is encrypted locally and the service never holds your master password.

1Password

1Password is the most polished password manager available. The family plan ($5/month for up to 5 people) makes it cost-effective for households. Travel Mode — which temporarily hides selected vaults when crossing borders — is a thoughtful feature for frequent travellers. The Watchtower feature actively monitors for compromised passwords and weak entries. The browser extensions and mobile apps are reliable and actively maintained.

Bitwarden

Bitwarden is the strongest free option and, for technically comfortable users, the recommended starting point before deciding whether to pay for premium features. The free tier handles unlimited passwords across unlimited devices — which is a significant differentiator from LastPass, which gutted its free tier. Bitwarden is open source, has been independently audited, and the premium tier ($10/year) adds TOTP code storage, encrypted file attachments, and health reports.

Apple Passwords / Google Password Manager

Both Apple and Google's native password managers have improved substantially. If you live entirely within one ecosystem (all Apple devices, or all Android/Chrome), they are genuinely functional, free, and convenient. The limitations are cross-platform access (Apple Passwords on Windows is clunky; Google's manager is less capable on iOS) and the absence of advanced features like travel mode, emergency access, and breach monitoring. They are a meaningful improvement over no manager at all, but dedicated managers like 1Password and Bitwarden offer a materially better experience.

Migration Process

The initial setup requires an hour or two. Most password managers can import from browsers and other managers. After import, run the built-in health check to identify weak and reused passwords, then change the worst offenders — prioritise banking, email, and social accounts first. You do not need to change all passwords on day one; address the highest-risk accounts and let the rest migrate naturally as you log in.

Step 2: Enable Two-Factor Authentication on Important Accounts

Two-factor authentication (2FA) adds a second verification step beyond the password — making compromised credentials insufficient on their own to access the account. Not all 2FA is equal, and the differences matter.

SMS-Based 2FA: Better Than Nothing, Not Good Enough for High-Value Accounts

SMS codes are vulnerable to SIM swapping — a social engineering attack where an attacker convinces a mobile carrier to transfer your phone number to their SIM card. This has been used to compromise cryptocurrency accounts and email accounts with regularity. For social media and low-stakes accounts, SMS 2FA is a meaningful security improvement. For banking, email, and crypto, it should be replaced with a stronger method.

Authenticator Apps: The Right Default

Time-based one-time password (TOTP) authenticator apps generate codes that expire every 30 seconds. These are not vulnerable to SIM swapping and are the right default for most accounts. Recommended apps: Aegis (Android, open source, local backup), Raivo OTP (iOS), or the 2FA feature built into 1Password or Bitwarden for users who want codes integrated with their password manager.

A note on storing TOTP codes in your password manager: convenient, but it partially collapses the two-factor model into one factor (if your manager is compromised, both password and code are accessible). For most people, the convenience tradeoff is reasonable. For high-value accounts like your primary email and financial accounts, keep the TOTP codes in a separate authenticator app.

Passkeys: The Future of Authentication

Passkeys are the authentication standard that the industry has been trying to achieve for fifteen years. They replace the password with a cryptographic key pair: a public key stored by the service, and a private key stored on your device that never leaves it. Authentication happens via biometric confirmation (Face ID, fingerprint) or device PIN. Passkeys are phishing-resistant by design — the private key is bound to the specific domain, so a fake login page cannot capture anything useful. They are also simpler to use than passwords: no typing, no copying codes, no password reset flows.

Support in 2026 is widespread for major services: Google, Apple, Microsoft, GitHub, Dropbox, PayPal, eBay, and most major financial services support passkey login. Enable passkeys wherever they are available. They are strictly better than password authentication from both a security and usability perspective.

Step 3: Secure Your Email Account Above Everything Else

Your primary email account is the master key to your digital life. Password reset flows for almost every other service send recovery links to email, which means that anyone who controls your email inbox can take over most of your other accounts. Email account security deserves disproportionate attention.

Specific measures for email accounts: use a unique, randomly generated password stored in your manager. Enable the strongest available 2FA — passkey if available, hardware key if not, TOTP authenticator as a minimum. Review and clean up your account recovery options: remove SMS recovery if possible, confirm backup codes are stored securely offline. Review what third-party apps have access to your email and revoke anything you do not actively use.

Consider the attack surface of your email provider. Gmail and Outlook have strong security infrastructure and are reasonable choices. For higher-threat individuals, privacy-focused providers like Proton Mail have end-to-end encryption for stored mail — which means even a server compromise does not expose email content.

Step 4: Audit Your Existing Accounts

Most people have accounts they have forgotten about — old forums, retail sites, services they signed up for once. Dormant accounts represent a real risk: if they are breached, attackers have a credential pair that may work elsewhere, and the owner receives no breach notification if they no longer use the email address associated with it.

Use HaveIBeenPwned (haveibeenpwned.com) to check your email addresses against known breach databases. The service is free, trustworthy, and run by a security researcher (Troy Hunt) who has been doing it since 2013. If your email appears in breaches, identify the affected accounts and change the passwords. Enable breach notifications so you are alerted to future incidents.

For the dormant account problem: delete accounts you no longer need rather than leaving them dormant. Most services have a delete account option buried in settings. JustDeleteMe (justdeleteme.xyz) maintains a directory of direct links to the account deletion page for hundreds of services.

Step 5: Build a Recovery Plan

The security setup fails without a recovery plan. If you lose access to your device and your 2FA codes are only on that device, you are locked out of your accounts. Recovery planning is the part of security hygiene that most guides skip, and it is what turns a good setup into a resilient one.

Core recovery documents to create and store securely (offline, in a fireproof location, or shared with a trusted person): password manager master password and emergency kit (1Password provides this as a PDF), backup codes for critical accounts (download and print the 10-digit backup codes that services provide when you set up 2FA), and a list of the email addresses associated with key accounts. These documents should not be stored in a cloud service that is itself secured by what you are trying to recover.

What Good Security Looks Like in Practice

A complete personal security setup looks like this: 1Password or Bitwarden for all passwords, with Watchtower/health reports enabled; TOTP authenticator app (Aegis or Raivo) for 2FA codes on critical accounts; passkeys enabled wherever supported; email accounts secured with the strongest available 2FA; backup codes printed and stored offline; HaveIBeenPwned monitoring active.

Setup time: approximately two to three hours for the initial configuration. Ongoing maintenance: near-zero once the system is in place. The password manager handles new account creation automatically and the authenticator app becomes muscle memory within a week.

The tradeoff between security and convenience has genuinely narrowed in the passkey era. A well-configured passkey login is faster than typing a password and entering a code. The resistance to setting this up is mostly inertia, not a genuine cost. An hour spent on this now eliminates a category of problem that costs people thousands of dollars and days of stress when it happens.