No, we don’t need to do a deep dive into the mathematics of passwords with complex computations of entropy, instead you need to understand how you actually get hacked. Stay right there. Brute Force is the technique used to hack passwords using the trial and error method. It involves trying out every possibility. So if the password is a 6-digit pin code, then the possible values to try are 0-0-0-0-0 to 9-9-9-9-9. That makes 1 million possibilities. A brute force attacker will try all of that, and the time it takes will be less than the total amount of time it takes to try out 1 million possibilities.

Using the fastest computer possible, obviously it would take nanoseconds to count them all, so you figure that’s the threat to your password. I did some math. If your password is 40 digits with upper and lower case with numeric and special characters, how long would it take for the fastest supercomputer on Earth, in fact using multiple supercomputers, to hack it, assuming that the password app requires 1 millisecond to respond? The answer is 10 to the 65th power in years, so this is way larger than the age of the universe, meaning it is not a threat.

Now let’s change this to the same rule, but with an 8-character password, and the answer is an attacker with a single machine, hundreds of thousands of years. An attacker with 1,000 machines in parallel, 100 to 200 years. An attacker with 100,000 machines, 1 to 2 years. So even just using the typical password format is pretty good. But let me shock you here. Again, doing some math, what about a 15-character password alphabetical only, upper, lower, and random? The important part here is random. The solution is uncrackable. This alone should stop you cold with this realization.

A simple password with 15 letters is already uncrackable using brute force, but this doesn’t assume real words. I said random letters, so that’s still pretty complex. Rate limits In the examples I gave earlier, and this is important to understand here, I assigned a time to enter each password at 1 millisecond per try. This is completely unrealistic in real life online. In the majority of password entry methods, including personal computers, there is always some delay built into password entry. Sometimes several seconds after multiple attempts fail, which is thousands of times slower than the 1 millisecond I used to compute the examples I just gave.

So depending on where you’re entering the password, the rate limit or the number of attempts per window of time may not allow brute force attacks at all. Attempts limit This applies to internet platforms, phones, and computers, and this is the attempts limit. After you’ve tried some number of times, like 10, then the machine will lock up and not allow password entry for a day, or in some cases, forever. Most of the big platforms and all the best-made sites have some attempts limit rate, like 10 tries per day. Two-factor authentication An even more severe slowdown now is that many platforms require a two-factor authentication, like text or email, to even log in.

Without even considering the issue of a successful password entry, this alone will make someone reconsider doing a brute force attack. They will also send a notice if a new login is detected from a new machine, which is also a warning flag to you if someone is trying to perform a hack. Who are subject to brute force? I’m just going to state it as bluntly as I can. It may not be apparent to some of you, but you are not that important. Bottom line, normal people are never brute forced. Nation states might try on billionaires, but even they usually go another route.

Because complex passwords are time-consuming to enter and subject to mistakes, they are often reused a lot, and that introduces the real risk. Have I Been Pwned? The real massive source of hacks is demonstrated by the website haveibenpwned.com, which I will just abbreviate to hibp. hibp tracks all the hack databases and lists you if your email has been included in a breach. This is the clue that someone may have acquired your password. You should go to this site, and if you’re the average person, type in your well-known email and see if your email is compromised.

I will bet that there’s a 90% chance you will be on that list. So, what’s happening here? In the news, you’ll hear that 23andMe, Google, Ticketmaster, Facebook, Twitter, Equifax, and LinkedIn have been hacked. This just goes on and on and will likely keep happening for the foreseeable future. This is important. This is the major way your credentials are acquired, not by brute force. So, when a platform gets hacked, the typical response of that company is to offer you identity protection via LifeLock and you think it’s good. This is the biggest BS of the century.

Unfortunately, after the hack happens, identity protection is the least of your worries. The issue is less about the complexity of passwords, which is really not that big of a concern in most platforms with rate limiting, attempt limiting, and 2FA. The issue is password reuse, not brute force. Yes, folks, there’s the hacking vector password reuse. The result is a data pair, which is email plus password. So, knowing this, it’s a simple matter to make one attempt at all platforms to see if the login works. But the hackers will typically attempt to break into your email first, since this will give them a way to handle two-factor authentication.

Again, this is one attempt, not brute force. There are a couple of lessons to be learned here. The email and password is a pair. Passwords by themselves are not important if you don’t know what the email is. So, some email providers, like our Braxmel product, have some unique capabilities here, since it can do unlimited aliases. This breaks the password reuse problem, since you can use a different email address for every platform. Lesson number two here is that if you reuse a password, then if that platform is hacked, then you will potentially have multiple accounts hacked.

We need to learn how to compartmentalize this risk. Phishing. Phishing, which has that weird spelling, is the attack used by hackers to acquire your password directly, typically by social engineering. Meaning they will trick you in thinking that some link is valid and it’s from the original platform, and then you enter a password, which is then captured. I will teach you some common sense rules to not be vulnerable to this. Eighty to ninety percent of these attacks will come from email and SMS. So, if you respond to email and click links directly from emails or an SMS message, then you will likely get phished and your password acquired.

If you don’t do password reuse, then that single site you logged into will be hacked. If you reuse passwords, then it will be a bigger problem. So, password reuse expands the risks. But really, this is common sense in the internet. If a bank sends you a notice, go directly to the bank site and log in to see if the notice is valid. Don’t click on any email that is unsolicited. Obviously, if you triggered an email from a website like to log in, that’s fine because you initiated it. But unsolicited messages with links is a phishing attack.

How much of my email is a phishing attack? Some days it seems like 25% of my emails, in my case, is an attack. So, never, ever, ever put information in on any site you access via a link from an email or a text. At most, consider it read-only, and even I won’t do that. Spear phishing. Spear phishing is a more targeted attack and is directed towards a single person instead of a broad hacking attempt. Using stolen personal data from the Equifax hack, for example, someone could trick you into thinking they know everything about you and then trick you into revealing PIN codes on ATM cards, for example.

This kind of attack is typically more personal and is done through phone calls. It reminds me of the old scam where they call you and say they’re from Microsoft tech support and they need to access your computer. For goodness sake, in this day and age, learn to hang up. Now that you understand where the attacks actually come from, we can come up with a password strategy. As demonstrated here, password complexity isn’t particularly relevant. You do have to make a unique password so that the common password 123 type choices are removed. However, since most platforms are limited to 10 tries plus 2FA, there really isn’t much of a brute force risk with any online platform.

So complexity doesn’t help. Instead, focus on no reuse as the goal. Now, this is a very difficult goal as no reuse introduces the problem of not being able to remember a password for multiple sites. So I will introduce two password types, one for use with low security sites and one for high security sites and offline use. I’m going to start with the most secure version and then end with the one that’s the most convenient, which is made for lower level security sites. This is extremely important. You must start fresh. You must assume that you’re already in the HIV P list and that you were already hacked in the past.

So you must not ever reuse passwords you’ve used in the past. This is a requirement in any of the solutions I’m going to offer. If you already used this password before today, then this will all fail. The most secure password is actually not made up of extremely difficult to type special characters. The easiest way is to string up six random words. You can segregate the words with a space or separate them with a special character, up to you. Whatever, it’s easier for you to type. Here’s an example. This one is 32 characters. Certain things you will discover here is that this kind of formatted password is long.

It is usually between 28 to 35 characters. And again, you cannot reuse this. It’s used for one platform. These kinds of high security passwords are best for banks, offline use like password and zip files, Wi-Fi, WPA2 passwords, email credentials. Although these passwords are easy to read and type, they cannot be remembered if you use many of them. So you must use a password manager to store your passwords. But I wouldn’t use these types of passwords often, just for high security purposes. I caution you though not to use this format for everything, since many sites have a password length limit and these can get quite long, so it will not work everywhere.

Because these are not reused at all, they are good for mitigating a phishing attack. This is important. You must use this kind of password for an email and it must never be reused. Email is the number one target. Limited reuse. I want to create a distinction here. For the hundreds of sites that are not a financial risk, where there is no stored credit card, then the high security method of a non-reused password is inconvenient and overkill. This is because these platforms like Reddit, X, TikTok, Netflix, Prime Video and so on, are so frequently visited and you have to re-enter your password over and over.

I would group low risk sites into three categories. Bucket A, social media, Bucket B, streaming and gaming, Bucket C, shopping and random sites. And for each of these groups, I would reuse a four random word password that you’ve never used before, 20 to 28 characters each, short enough to type fast, but strong enough to not be broken online. Example. Yes, we’re doing a reuse here, but by breaking this into smaller groups, then the risk of a hack via HIV-P is reduced. Compartmentalization, as shown here, reduces the risk of a cascade attack.

A breach in a streaming site does not affect shopping sites or your social media sites. Quick note, if you’re finding this useful and want more no BS privacy tips like this every week, hit that subscribe button and the bell. Check out our other products and services on Braxme at the end of the video. Now let’s talk about phone unlock and the future with pass keys. Phone unlock. To unlock your phone, what is the best method? Typically, we choose between pin, pattern, fingerprint or face ID. The best way, which cannot be observed by others, is the fingerprint method.

Pin and pattern may be discovered by others watching you use your phone. Fingerprint method does not record fingerprints, so if this is your fear, forget that. It does not photograph your fingerprint. It is safe. Face ID is less safe because it’s actually based on the shape of your face and those values can be potentially retrieved and used outside of the phone. The main problem with biometrics is that someone may compel you to use biometrics, which does not have the same level of protection under the Fourth Amendment as pin or pattern.

So possibly turn off the fingerprint method when traveling. Pass keys. As an alternative to passwords plus two-factor authentication, many sites now offer support for pass keys. This is actually fine as pass keys are managed via an exchange of certificates and there is no exchange of biometrics as most people assume. In my experience, though, it is potentially possible to lose pass keys if you change computers or your computer breaks in some way. This is the problem with software-based TOTP authenticators similar to Google Authenticator. Again, these keys are tied to a device, so if you lose the device, reset the OS or simply forget, then you lose the keys.

So I actually prefer using a hardware-based key like a UB key. This has been more flawless in my opinion. Final thoughts. That’s it. Password complexity is a lie. This is your five-minute action plan. Do this today. Here’s what actually keeps you safe in 2026 and beyond. Right now, go to HaveIbinPwn.com and check your main emails. Today, change your email banking and Apple Google passwords to brand-new six-word pass phrases you’ve never used before. Add a UB key or pass key. This week, create three fresh three-word pass phrases and assign them to your buckets, social media, streaming and gaming, shopping and random sites.

Reuse inside each bucket only. From now on, never click login links from email or text. Type the site yourself or use a bookmark. Do those four things and you instantly become harder to hack than 99% of people on Earth without living in a password manager and without typing 40-character nonsense every day. Start fresh today. Hey, if you’re serious about privacy, come join us at Braxme. This is a growing community where real privacy people hang out. No censorship, no nonsense. While you’re there, check out the tools we actually built and use ourselves.

Braxmail, unlimited aliases, no IP leaks. Brax Virtual Phone, real anonymous numbers. Bites VPN, no logs, no BigCorp BS. The Google phones and more in the store. The Brax 3 phone second batch is open for pre-order right now at Braxtech.net. First batch sold out shortly after release. Big thanks to everyone supporting us on Patreon, locals and YouTube membership. You keep this channel alive. See you next time. [tr:trw].

See more of Rob Braxman Tech on their Public Channel and the MPN Rob Braxman Tech channel.