Why Passwords Get People Hacked
Most people use the same password (or a close variation) for everything. They know they shouldn't. But creating a unique, strong password for every account and remembering all of them is impossible without help.
Here's what happens: a company gets breached. Your email and password are exposed. Attackers then try that same email and password on your bank, your email, your social media, your work accounts. If you reused that password anywhere, they're in. This is called credential stuffing, and it's one of the most common ways people lose money and personal data.
The fix isn't a better memory. It's a better system.
Remember Only 2 Passwords
A password manager stores and generates all your passwords for you. You only need to memorize two. These two are the only passwords that exist in your head — everything else is randomly generated and stored in the manager.
Your Password Manager Password
This is the master key. It unlocks access to every other credential you own. Make it strong, unique, and something you can remember without writing it down.
Your Main Email Password
This is the email account where your bank, your password manager, and most of your important accounts send password resets. If someone gets into this email, they can reset everything. It needs its own unique password.
Both passwords must be completely unique. No reuse. No variations. Spring2024! and Summer2024! are not different passwords — an attacker who cracks one will try the obvious variations immediately.
Instead, use passphrases — random words combined with a number and symbol. They're long (hard to crack) and memorable (easy for you). For example:
RedPurpleOcean32! MapleDeskWindow7# CloudTrainBridge91&
Pick three unrelated words, add a number and a special character. That's it. Make one for your password manager and one for your email. A passphrase like this takes billions of years to brute-force, and you can actually remember it.
Need help creating one? Use our Password Generator to create a strong passphrase or random password instantly.
Every other account — social media, shopping, streaming, work tools, airline miles, every single one — gets a randomly generated password from your password manager. You never need to see or remember these passwords. The manager fills them in for you automatically.
Set Up Apple Passwords
Apple Passwords is built into every iPhone (iOS 18+) and Mac (macOS Sequoia+). It's free, syncs across your devices via iCloud, and fills in passwords automatically. If you use Apple devices, this is the simplest way to get started — no extra app to install.
First: Turn On iCloud Keychain
This is the sync engine that keeps your passwords available across all your Apple devices. You only need to do this once.
1 Open Settings
Tap your name at the top of the Settings screen to open your Apple Account settings.
2 Go to iCloud
Tap iCloud, then tap Passwords & Keychain.
3 Turn it on
Toggle Sync this iPhone to on. Your passwords will now sync across all your Apple devices signed into the same Apple Account.
1 Open System Settings
Click the Apple menu () in the top-left corner, then click System Settings. Click your name at the top of the sidebar.
2 Enable Passwords & Keychain
Click iCloud, then click Passwords & Keychain and make sure it's turned on.
Enable AutoFill
AutoFill is what lets Apple automatically fill in your usernames and passwords when you visit a website or open an app.
1 Open Settings
Go to Settings → General → AutoFill & Passwords.
2 Turn on AutoFill
Toggle AutoFill Passwords and Passkeys to on. Make sure Passwords is checked as a provider below the toggle.
1 Open System Settings
Go to System Settings → General → AutoFill & Passwords. Turn on AutoFill Passwords and Passkeys and select Passwords as the provider.
Save a New Password
Once AutoFill is on, Apple handles this automatically. When you sign up for a new account or log in somewhere for the first time, you'll see a prompt.
1 Sign up or log in normally
Go to a website or app and start creating an account. When you tap the password field, Apple will suggest a strong random password.
2 Accept the suggested password
Tap Use Strong Password. Apple will save it automatically. You never need to see or type this password again — AutoFill handles it from now on.
3 For existing accounts
Log into the site with your current password. When prompted to save it, tap Save Password. Then go to the site's password change page, let Apple generate a new strong password, and update it.
Find Your Saved Passwords
1 Open the Passwords app
On iPhone or Mac, open the Passwords app (it's a standalone app as of iOS 18 / macOS Sequoia). Authenticate with Face ID, Touch ID, or your device passcode.
2 Search or browse
Tap All to see every saved credential, or use the search bar to find a specific site or app. Tap any entry to view the username, password, and website.
Check for Compromised Passwords
Apple Passwords automatically checks your saved passwords against known data breaches and flags any that are weak, reused, or compromised.
1 Open the Passwords app
Look for the Security section. It shows you a list of passwords that need attention — either because they appeared in a data breach, they're being reused across sites, or they're weak.
2 Fix flagged passwords
Tap a flagged entry, then tap Change Password. You'll be taken to that site's password change page. Let Apple generate a new strong password and save it.
Tips & Common Mistakes
That defeats the entire purpose. It should only exist in your head.
If your phone doesn't have a passcode, anyone who picks it up has access to all your saved passwords. Use a 6-digit code or alphanumeric passcode, not 4 digits.
Even with a strong unique password, adding a second factor (like a text message code or authenticator app) makes these accounts much harder to break into. Most password managers support 2FA — enable it if yours does.
If you need to share a password with a family member, use the password manager's sharing feature — Apple Passwords has a Shared Groups feature for exactly this.
Pick a date (your birthday, New Year's, whatever sticks) and update both. Use new, unrelated passphrases each time.
When the Passwords app flags a compromised credential, fix it that day. The alert exists because that password is actively circulating among attackers.