5bats

You only need to remember two passwords

June 23, 2026

Think about how many passwords you are supposed to have. Email, banking, the shopping sites, the streaming services, the work logins, the one for the council, the one for the thing you signed up to once in 2019. Nobody can remember dozens of different long, random passwords. So people do the only thing that feels possible: they pick one password they can remember and use it almost everywhere, maybe with a “1” or a “!” on the end for the sites that demand it.

It is completely understandable. It is also the single most dangerous habit on the internet — and the surprising part is that fixing it makes your life easier, not harder. By the end of this you will be remembering two passwords instead of twenty, and the rest will be stronger than anything you could have invented.

What actually makes a password “safe”

Most of us were taught the wrong lesson. “Safe” was supposed to mean adding a capital letter, a number and a squiggle — Summer2024! and you are done. Attackers love that, because everyone does the same predictable thing.

The single biggest factor is not squiggles. It is length. A short password full of symbols is easier for a computer to crack than a long, plain one, because cracking is mostly a numbers game and every extra character multiplies the work enormously. Four random words strung together — something like copper-violin-harbor-tuesday — is both easy for a human to picture and absurdly hard for a machine to guess.

So a genuinely safe password is:

  • Long — aim for a passphrase of several random words, not a short clever string.
  • Unique — used for that one account and nowhere else (more on this next).
  • Not about you — not your name, birthday, pet, team or anything someone could find on your profiles.

The mistake almost everyone makes

Reusing one password everywhere feels efficient. The problem is what happens when any single site you used it on gets breached — and sites get breached constantly. The attackers do not just get into that one site. They take the list of leaked email-and-password pairs and try them, automatically, on hundreds of other services: your email, your bank, your shopping accounts. This is so common it has a name — credential stuffing — and it works precisely because so many people reuse the same password.

In other words: with one reused password, you are only as safe as the weakest site you ever signed up to. One forgotten forum from years ago can hand someone the keys to your email today.

The part nobody tells you: you only need to remember two

Here is the reframe. You are not supposed to remember a different strong password for every account — no human can, and trying is what leads to reuse. You are supposed to let software do it.

A password manager is an app that creates a long, random, unique password for every account, stores them all locked behind one master password, and fills them in for you when you log in. You never see or type those passwords; the manager does. Which means the only things you have to remember are:

  1. The password (or PIN) that unlocks your device — your phone or computer.
  2. The master password for your password manager.

That is it. Two. Make those two long passphrases you have never used anywhere else, and the manager takes care of the other forty — each one different, each one strong.

Two honest footnotes, because security should never oversell: keep a recovery method for your manager (if you lose the master password with no recovery set up, those passwords are gone — that is the trade-off for real encryption), and turn on two-factor authentication for your most important accounts, which the manager can also help with. Neither is complicated, and both are worth ten minutes.

Which password manager should you use?

You very likely already have a good one, for free.

If you use an iPhone, iPad or Mac — Apple Passwords. It is built in, free, and the same across all your Apple devices: it suggests strong passwords when you sign up, saves them automatically, and fills them in across Safari and your apps. There is now a dedicated Passwords app on recent iPhones and Macs, but it has quietly been doing this for years through Settings. For most people in the Apple world, turning this on is the whole solution.

For everyone, or if you want one manager across every device — Proton Pass. It is free, works on iPhone, Android, and as a browser extension on any computer, and it is open source and end-to-end encrypted, from the Swiss team behind Proton Mail. If your devices are a mix of Apple, Android and Windows, a manager that lives everywhere rather than in one ecosystem is the easier long-term answer.

Either is a genuine upgrade over remembering passwords yourself. The best one is simply the one you will actually turn on today.

How to start (about fifteen minutes)

  1. Turn on Apple Passwords, or install Proton Pass and create one strong master passphrase.
  2. Set up its recovery option so you can never be locked out.
  3. Log in to your email account, and let the manager save it — email first, because it is the master key that can reset everything else.
  4. Over the next week, each time you log in somewhere, let the manager replace that password with a new strong one. You do not have to do them all at once; just stop creating new weak ones.

That is the entire project. Not “memorise forty impossible strings” — just “remember two, and let an app handle the rest.”

Good security should not be a luxury or a full-time hobby. 5bats builds free, on-device tools so that staying safe — whether you are shipping code or just living online — does not depend on paying for it or being an expert. If this was useful, the guides and tools go further, and there is more everyday-security writing on the way.

← Back to all posts

Guides

Compare

Deutsch: Impressum · Datenschutz

© 2026 | 5bats
No cookies. No tracking. No outbound calls.