Look, I get it. You're a busy professional. You've got patients to see, charts to update, and somehow you're supposed to remember that your banking password can't be the same as your Netflix password, which also can't be your email password, which definitely shouldn't be Fluffy2019!
As someone who spends half their time looking at teeth and the other half breaking into systems (legally, I promise), I've seen enough password disasters to fill a waiting room. So let's talk about password hygiene — because just like your teeth, your passwords need regular attention, proper care, and absolutely should not be ignored until something goes catastrophically wrong.
THE DENTAL PARALLEL
Think of an 8-character simple password like brushing your teeth once a week with water only. Sure, something is happening, but you're setting yourself up for disaster. A strong password with letters, numbers, and symbols? That's the oral hygiene equivalent of brushing twice daily, flossing, and regular check-ups.
What Does "Pwned" Even Mean?
If you've ever been told to check "Have I Been Pwned" and thought someone was having a stroke while typing, you're not alone.
A BRIEF HISTORY OF "PWNED"
The word "pwned" (pronounced "poned" or "owned") originated from a typo in the 1990s video game Warcraft. When a computer opponent defeated a player, the game was supposed to display "has been owned" — but a map designer accidentally typed "pwned" instead.
The 'P' and 'O' keys sit right next to each other on your keyboard. Go ahead, look. The typo stuck, spread through gaming culture, and now it's the official term for getting digitally dominated.
In cybersecurity terms, being "pwned" means your data — email, password, personal information — has been exposed in a data breach. And if you've been online for more than five minutes, there's a solid chance you've been pwned at least once.
Enter Troy Hunt: The Hero We Didn't Know We Needed
In December 2013, an Australian web security consultant named Troy Hunt created Have I Been Pwned (HIBP) as a free tool to help people check if their data had been compromised.
The main catalyst? The massive Adobe breach that exposed 153 million user accounts. Hunt discovered his own email in the breach and thought, "There has to be a better way."
BEAUTIFUL IRONY
In March 2025, Troy Hunt himself got phished. The creator of the world's most famous breach database clicked a fake Mailchimp link when tired and jet-lagged. He immediately published the incident on his own website. That's the level of honesty we need in cybersecurity — and proof that even experts aren't immune.
In 2018, Gizmodo named HIBP one of the "100 Websites That Shaped the Internet" alongside Google, Wikipedia, and Amazon. Not bad for a weekend project that "got out of control."
The Password Hall of Shame
Every year, security researchers analyse billions of leaked passwords to see what people are actually using. The results are... concerning:
THE SOBERING STATISTICS
- 78% of the world's most common passwords can be cracked in under one second
- 142.3 million people had at least one password exposed in 2024
- 80% of data breaches involve weak or stolen credentials
- The average person now has ~170 passwords to remember (up from 100 in 2020)
STRANGE BUT TRUE PASSWORD FACTS
How Fast Can Your Password Be Cracked?
I demonstrate this to clients all the time, and it never fails to turn faces pale. Here's how long it takes modern hardware (RTX 4090 GPUs) to brute-force your password:
| PASSWORD TYPE | 8 CHARS | 12 CHARS | 16 CHARS |
|---|---|---|---|
| Numbers only | 37 seconds | 6 minutes | 1 day |
| Lowercase letters | 22 seconds | 3 weeks | 350B years |
| Mixed case letters | 24 minutes | 289 years | 2T years |
| Letters + numbers + symbols | 7 years | 3,000 years | 19 quintillion years |
That's right — adding just 4 extra characters to your password can take you from "cracked before you finish your coffee" to "heat death of the universe."
How to Check If You've Been Pwned
Right, let's get practical. Here's how to find out if your credentials are floating around the dark web like lost X-rays:
Go to haveibeenpwned.com
This is Troy Hunt's official site. It's free, trusted by governments worldwide, and won't steal your data.
Enter your email address
The site will tell you which breaches your email appeared in, what data was exposed, and when the breach happened.
Check your passwords too
Go to haveibeenpwned.com/Passwords and enter any password. The site uses clever cryptography (k-anonymity) so your actual password is never transmitted.
Sign up for notifications
Get automatic alerts if you appear in future breaches. Think of it as a recall notice for your digital identity.
🔍 CHECK YOUR EXPOSURE RIGHT NOW
Seriously. It takes 30 seconds and might save you months of headaches.
VISIT HAVE I BEEN PWNEDWHAT TO DO IF YOU'VE BEEN PWNED
- 1. Don't panic — Most people have been in at least one breach. It's not a reflection of your character.
- 2. Change the compromised password immediately — And any other accounts using the same password.
- 3. Enable Two-Factor Authentication (2FA) — Even if someone has your password, they need your phone too.
- 4. Consider a password manager — Let software remember 170+ unique passwords so you don't have to.
- 5. Monitor financial accounts — If payment details were exposed, watch for suspicious charges.
The Password Prescription
As your friendly neighbourhood dentist-slash-hacker, here's my prescription for healthy password hygiene:
Length Over Complexity
correcthorsebatterystaple is actually more secure than P@ssw0rd!
A 25-character phrase of random words takes millions of years to crack. Think passphrases, not passwords.
Unique Passwords for Every Account
When one site gets breached, attackers immediately try those credentials everywhere else. It's called credential stuffing, and it works because 65% of people reuse passwords.
Use a Password Manager
Tools like 1Password, Bitwarden, or Dashlane generate and store unique, complex passwords. You only remember one master password.
Enable 2FA Everywhere
Two-Factor Authentication means entering a code from your phone after your password. Use an authenticator app rather than SMS when possible.
Check HIBP Regularly
Make it a quarterly habit, like dental check-ups. Your digital health is worth 10 minutes every few months.
WHY THIS MATTERS FOR HEALTHCARE PRACTICES
If you're running a medical or dental practice in South Africa, password security isn't just about protecting yourself — it's about protecting your patients.
Healthcare data is incredibly valuable on the black market. A stolen credit card might fetch R30 on the dark web, but a complete medical record can go for R1,500+.
Under POPIA, you're legally obligated to implement "appropriate, reasonable technical and organisational measures" to protect personal information. Using admin123 doesn't quite meet that standard.
FINAL DENTAL WISDOM
I tell my patients: you can brush your teeth for two minutes twice a day, or you can spend hours in my chair getting root canals.
Password hygiene works the same way. Spend a little time now setting up a password manager and unique passwords, or spend a lot of time later dealing with stolen identities, locked accounts, and explaining to patients why their data is for sale on Telegram.
Your call. But I know which option I'd choose. 🦷🔐