If you've used the internet for more than a few years, at least one of your passwords is sitting in a breached database somewhere. That's not a guess — billions of credentials have leaked from companies large and small. The goal isn't to panic. It's to make those leaks harmless.
First, check
Go to haveibeenpwned.com and enter your email. It'll show you which known breaches included your address. It's run by a respected security researcher and it's free. Don't be alarmed by the list — almost everyone has one.
Then fix the things that actually matter
1. Stop reusing passwords
Reuse is what turns one leaked password into ten compromised accounts. Attackers take a username and password from one breach and try it everywhere — banking, email, your business apps. One unique password per account shuts that down completely.
2. Use a password manager
Nobody can remember a hundred unique passwords, and you shouldn't try. A password manager generates and stores strong, unique passwords so you only remember one. This is the single highest-impact change most people can make.
3. Turn on multi-factor authentication (MFA)
MFA means a stolen password alone isn't enough — a login also needs a code or approval from your phone. Turn it on everywhere that offers it, starting with email. Your email is the master key: whoever controls it can reset everything else.
4. Prefer app or hardware codes over text messages
SMS codes are better than nothing, but they can be intercepted or SIM-swapped. An authenticator app or a hardware key is meaningfully stronger for the accounts that matter most.
5. Consider passkeys
Passkeys replace the password entirely with a secure key tied to your device. They can't be phished or reused, and more services support them every month. Where you can use one, do.
For businesses, make it a system
Personal habits are a start, but a business needs this enforced: a shared password manager, MFA required on every account, and someone watching for exposed credentials. That's the difference between hoping your team is careful and knowing your accounts are protected.
If you'd like a hand rolling password management and MFA out across your team — without it becoming a fight — that's exactly the kind of thing we set up and support.