How I Stopped Reusing Passwords Across 80 Accounts

Updated on April 29, 2026

For about six years, I had one password. Not one strong, unbreakable password — I mean one embarrassingly simple string that I typed into everything from my bank to my old college pizza delivery account. The password was Sunny2016!. The name of a dog I'd never owned. A number I picked because it sounded like a year someone important was born. An exclamation mark because the site told me I needed one.

I am not proud of this.

What finally broke me wasn't a catastrophic hack. It was something stupider. I tried to log into an old freelance platform I hadn't touched since 2019, and the site had been breached. I got an email from HaveIBeenPwned. My email address had shown up in a data dump alongside 4.2 million others. And because I'd used Sunny2016! everywhere — everywhere — I spent the next three evenings frantically resetting accounts I'd completely forgotten I had.

That's when I started counting. I exported my browser's saved logins, checked my email for "Welcome to" messages, scrolled back through years of account creation receipts. The final number: 83 accounts. Eighty-three places where some version of Sunny2016! lived, or its close cousins — Sunny2016, Sunny2017!, sunny2016!. A criminal's buffet.

The Problem With "I'll Just Be Clever About It"

Before I surrendered to a proper system, I tried what I suspect a lot of people try: the "smart variation" method. My theory was that if I tailored each password slightly — adding the first two letters of the site name, maybe — it would be "unique enough." So my Reddit password became ReSunny2016! and my Netflix became NeSunny2016!.

I actually felt clever about this for a while. Then I read a 2021 paper where researchers demonstrated that these patterns are trivially predictable once a single credential is exposed. If a breach reveals ReSunny2016! and an attacker knows it came from Reddit, guessing your Netflix password is nearly automated. The cleverness was entirely imaginary.

Around this time I started playing with online random password generators — initially just out of curiosity. I'd seen them before but always dismissed them. Who wants a password that looks like someone sneezed on a keyboard? But when I actually tried typing Xq9#mKv2$LpR into a password field, something clicked. Nobody is ever going to guess that. No credential-stuffing bot is going to match that to any other account I have. This string exists nowhere in human language or memory. It is, essentially, proof that I've given up trying to be clever and have simply asked entropy to do its job.

The Tool That Actually Changed My Behavior

I started with free online password generators. There are dozens — some simple sliders where you pick length and toggle symbols on and off, others more sophisticated with options to exclude ambiguous characters (goodbye, capital O and zero living side by side in the same string). The ones I kept coming back to had a few qualities in common: they generated on-device rather than server-side (I got paranoid about this after reading too much), they let me set length to at least 20 characters, and they didn't make me feel like I was filling out a government form just to get a password.

A smaller thing that surprised me: some of these tools also offered name generators and decision generators in the same UI. The name generators I initially ignored, but then my sister was naming her cat and we spent twenty minutes arguing, so I dropped it into a fantasy name generator and landed on "Morrigan," which is now the cat's actual name. The decision generators — basically digital coin flips with more drama — turned out weirdly useful when I genuinely couldn't decide whether to cancel a subscription. I spun the wheel. It said cancel. I cancelled. I don't miss it.

But back to passwords. The generator was only half the solution, and the easier half.

The Part Everyone Avoids: Actually Storing These Things

Generated passwords are useless if you can't retrieve them. This is where most people I've talked to stall out. A 20-character random string is not something a human brain retains. You generate it, you use it once, and unless something catches it, it's gone and you're back to resetting your account through email.

I tried three approaches before finding one that stuck:

A text file on my desktop. This lasted eleven days. I accidentally emailed it to a colleague while grabbing the wrong attachment. The file wasn't labeled anything sensitive, but still. Never again.

A spreadsheet locked with a password. This worked reasonably well for a few months, but the password protecting the spreadsheet was — you already know — Sunny2016!. Also, updating it was friction-heavy enough that I started skipping entries. Within six months the spreadsheet was 40% out of date.

A dedicated password manager. This is where I landed and where I've stayed. I use Bitwarden because it's open-source, audited, and the free tier covers everything I actually need. The key shift in thinking was this: I went from needing to remember 83 passwords to needing to remember exactly one — the master password for Bitwarden itself. That single password I made genuinely strong using a passphrase method: four random uncommon words strung together, something like velvet-gravel-nomad-fuse, which is long, pronounceable, not in any dictionary as a phrase, and memorable because I made a weird mental image of a velvet gravel road with a nomad holding a fuse.

Bitwarden has a built-in password generator too, so I stopped even going to external sites. I generate directly in the vault and it saves automatically. The browser extension autofills. The whole process — generate, save, autofill — takes about four seconds.

The 80-Account Conversion Project

Getting from my old chaos to a clean vault took about two weeks of intermittent effort. My method: every time I logged into any site, I changed the password immediately. I didn't try to do all 83 at once. That's how these projects die — you sit down to "fix your passwords" for three hours, you make it through 12 accounts, you're exhausted, and you never return.

Instead, the rule was: log in organically, change the password, move on. Within two weeks, I'd touched maybe 30 accounts just through normal usage. After that, I went through the remaining ones systematically starting with the highest-stakes (banking, email, anything with a stored card), then working down to things like my account on a forum I joined in 2014 to ask one question about a broken espresso machine.

Some accounts I just deleted. That was its own satisfaction.

What's Different Now

It has been about fourteen months since I finished the migration. A few things I didn't expect:

I feel less anxious about breach notifications. When I get a HaveIBeenPwned alert now, I know the damage is contained to exactly one account. The attacker got one unique random string that works nowhere else. I change the password on that one site and move on. Previously, a single breach email would send me into a two-hour remediation spiral.

I've also become the person in my friend group who gets asked about this stuff. My friend Rajesh kept saying he knew he should fix his passwords but didn't know where to start. I told him: pick one random password generator, generate something 18+ characters, put it in a free password manager, and change your email and bank passwords first. Just those two. Everything else can follow at its own pace. He did it in one evening. This doesn't have to be a massive project.

The random generators specifically — whether for passwords, names, or just decisions when you're stuck — share something philosophically in common: they remove the cognitive load of choice from a brain that was never designed to generate good randomness anyway. Humans are terrible at being random. We default to patterns. Our "random" passwords are predictable. Our "random" decisions are biased by whatever we thought about last. Handing those tasks to a tool designed specifically for unpredictability isn't laziness. It's using the right instrument for the job.

Sunny2016! is gone. I don't know what replaced it on any of my 83 accounts, because the manager knows and I don't need to. That's exactly the point.