Passwords for security purposes trace their way back to the Romans, who used watchwords to discern friend from foe. However, the digital password has been around longer than you might think, as it was created in 1961 by an MIT computer science professor, Fernando Corbato. It wasn't a security feature at the time, more a time-sharing one, but that was the seed that grew into the privacy-creating digital passwords for everything we use today.
It's nearly 65 years since its inception, but the humble computer password isn't quite ready for retirement. In that time, we've gone from simple passwords to those with special characters, passkeys that remove the need for a typed password, and passphrases that are easier to remember as they're a group of normal words.
Along the way, tons of advice has been given about what should and shouldn't be included in your password. Some of this still rings true today, but other pieces have become mythology and are followed without knowing why they were suggested. Many of these myths are simply a product of an earlier age that has no bearing on today's security landscape. Let's put a few of those famous fairytales about password strength to rest.
There's no excuse for having a weak password in 2024
We have access to advanced password creation and storage tools, but people are still using "123456" as their password.
10 Special characters and numbers are needed
They don't magically make your password harder to guess by a computer program
The use of numbers and special characters in passwords is more of a psychological thing, than an actual security thing. Passw0rd!@ looks more secure than Password, and that makes people feel a little better about their choice of passphrase. Without the list of required elements, it's human nature to go toward shorter passwords, which is how we end up with 123456 or asdfgh as the more common passphrases.
The other issue is that your password goes into a database for storage, and most companies have terrible sanitization of inputs. This is why most give you a few choices of special characters but not every one you can see on your keyboard. The ones that aren't allowed tend to break databases and can even hack them to spill their secrets.
5 of the best open-source password managers I personally recommend
Secure your digital life
9 Complex passwords are better
Length, not breadth, is far more important
When choosing a new password, it's common to feel that a more complex one will be stronger than a simpler but longer one. It's not because modern cracking programs can chew through complexity in no time at all. With many services requiring an eight-character password at minimum, those can be cracked in less than 3 hours if they contain numbers, upper and lower case, and symbols.
But if you increase the length to 13 characters while keeping the same mix of complexity, it now takes 3 million years. And if you have 15 characters, you only need upper and lower case letters to get 2 million years to crack. Complexity is handy, but the length of passwords is much more powerful.
RaceDrabCorridorUndertakeVotingStrongboxFlagstoneFlintRenditionRouting is stronger than summer2022!
Let's take some examples. RaceDrabCorridorUndertakeVotingStrongboxFlagstoneFlintRenditionRouting is far stronger than summer2022!, not because of its complexity, but because it's much longer, even without special characters and only using letters. Use a sentence if you can remember it, or use your password manager because that's what they're for.
8 Passwords should be easy to remember
Perhaps, but that doesn't mean they should be short either
Trying to manage your digital credentials by remembering them isn't going to work unless you're Rain Man. Seriously, it's like trying to memorize the phone book, and you're better off not trying. Use a password manager that stores them for you, and if you have to use ones you can remember, like for the master password of your password manager, use a passphrase with at least 20 characters so it's hard to brute force.
It goes without saying, but I'll say it anywayโdon't use your password manager's master password anywhere else. You wouldn't leave your house or car keys lying around; don't do the same thing with your digital keys.
5 reasons I use Proton Pass to manage passwords and so should you
I was tired of data breaches with my password manager, so I decided to switch to Proton Pass.
7 Passwords should be reset often
Blame the government password requirements for this one
The National Institute of Standards and Technology (NIST) has a huge document about password best practices that gets updated periodically when the security landscape changes. That document is directly responsible for many of the myths here because it was thought to be the best way to stay safe at the time. But standards evolve over time, as do security practices, and you don't have to reset your password every so often to stay safe.
This advice goes back to when users only had a few passwords to worry about, and it was thought to keep you safer by limiting breaches, preventing long-term access if someone did hack or phish your password, and limited the reach of keystroke loggers. But it's also another relic that can be safely retired, as the best practice is to have unique passwords for every account, so if you get in a breach, only one account is compromised, and you can change the password easily.
How to reset your Windows password
Having trouble logging into your Windows PC? You can follow these steps to reset or recover your password.
6 You don't need MFA or 2FA
Even with a strong password, layered security is always the right answer
Even when using a unique and long password, sometimes it gets breached. Sometimes hackers get the session cookie you used during login, and use that to force the account open. Whatever the vulnerability, a determined attacker will find it, unless you've got more layers of security. Using Multi-Factor Authentication or Two-Factor Authentication is one of those layers, and you should be using an app for this, not SMS.
That's because phone SIMs are all too easy to get hijacked, and the SMS codes sent elsewhere. Unless the hacker has your phone and has it unlocked, 2FA apps give your accounts a better chance of not being taken over.
4 reasons you should use 2FA apps over SMS-based authentication
2FA over SMS isn't just unreliable, it's also a security risk.
5 Sharing passwords with trusted people is okay
A secret is no secret at all if more than one person knows it
There will be situations where you'll want to share your passwords with friends or family, but it's a bad idea. More than one person knowing your password is one too many, and you don't know how many devices that person has signed in to and forgotten to log out. If you want to share your home Wi-Fi, set up a guest network instead, and share the password for access, and then change the password once they're gone. The fewer devices logged in to your Wi-Fi, the better. Don't share Netflix or other streaming passwords, or your account might get blocked by the service provider.
6 tips to securely share guest Wi-Fi with friends
Make guest access easy backed by robust security
4 Reusing passwords is okay
You should have unique, long passwords for every service you sign into
Eww, no, no, no. This one should go back to the early days of time and stay there. Every account you have should have a unique, long, hard-to-guess password, securely stored in a password manager. Reusing passwords between accounts increases the risk of all your accounts being hacked. What's worse is that most people know better, but reuse passwords anyway because it's easier.
5 things that will need to happen before we stop using passwords
Passwordless solutions are growing in popularity, but do you trust them?
3 You don't need a password manager
Umm, yes, you do, and you should be using it for everything
If using long, unique passwords is the best line of defense against hackers, and using MFA or 2FA the second, using a password manager is the third. The best ones generate passwords for you, save them automatically, and help you input them into the website or app the next time you visit it. You need a password manager because, unless you want your desk covered in Post-its, the 100 or so passwords you have need to be saved somewhere. And that's on average, with heavy internet users or coders having multiples of that number to contend with. Get a password manager, preferably not the one that comes with your web browser, and use it every time.
Best free password managers in 2024
Here are some good options to consider if you are looking to try a password manager, but don't want to pay a premium right away.
2 Writing down passwords is insecure
It's better than using insecure passwords for every account
So, the classic advice about not writing down your passwords is wrong. I don't mean it because you shouldn't have your password on a post-it note stuck to your computer monitor (because we've all been there), but writing them down in a notebook that's secured in your desk is no different to having a digital password manager with everything encrypted.
Some security is better than none, and some people won't use a password manager for various reasons. But they'll often use a notebook and pen, and keeping passwords remembered in a secure place is the whole point of having password managers. There are a couple of things, though, in that your written-down password should still be at least 16 characters, or better still, be a passphrase you could remember if you tried. And it needs to be locked up when not in use, which makes it somewhat of a burden to use, but is necessary.
My notebook is jealous: 7 digital note features I canโt live without
Dear notebook, youโve officially been replaced
1 Hacking your password is hard
With how many password breaches there are yearly, assume everything is compromised
The science of password cracking is very well understood at this point, and even modest computer hardware can churn through attacks like brute force, rainbow tables, password stuffing, and other ways to get into online accounts. That's helped by the terabytes of leaked password credentials floating around the internet, which have been collected over many years. If you think your unique password is actually unique, there is a good chance it's not and it's already in one of those collated breach files.
It's not hard to download a bot and set it up to try attacking online accounts. I see this all the time in my passwordless Microsoft account logs, where old credentials are tried around every 30 minutes. It's not enough to notify me or lock the account, but it sometimes asks if I'm trying to sign in, or an email with a one-time use password for a single device. It's largely automated and takes no effort once it's set up. The hacking attempts you see in popular media are a gross misrepresentation of how much effort it takes or how exciting hacking is, because it's tedious most of the time.
How Incogni can help protect your data following a data breach
This post is sponsored by Incogni.
Until a good solution for replacing passwords appears, it's time to stop believing these security myths
We get it. Password management overload is a real thing, and with around 100 on average to deal with, it's a chore. Using an automated password manager to save, store, and autofill them is the easiest way to keep your long, unique passwords safe, and the best password managers will also store notes, credit details, and other information, all encrypted so that nobody but you can see it. You can even use them to share passwords with trusted friends, without showing them the actual password, which is fantastic for keeping your accounts safe.