The Washington PostDemocracy Dies in Darkness

Everything you’ve been told about passwords is a lie

Taking just one of these steps can improve your online security. But the real goal is killing passwords.

A person sword fights with an asterisk.
(Elena Lacey/The Washington Post; iStock)

This article is a preview of The Tech Friend newsletter. Sign up here to get it in your inbox every Tuesday and Friday.

The whole system of online passwords is dumb and unsafe.

Demanding that you create a unique, complicated password on hundreds of digital accounts is error-prone and annoying. Most of the advice you hear about passwords — including from technology journalists like me — is unrealistic, scolding and sometimes outdated.

I have tips for upgrading your password practices, including if you’re dealing with a recent breach of a password vault called LastPass. I know that tending to your online security is a hassle. But if you make one small improvement, you can declare victory.

I also want you to have this long-term mission in mind: Passwords must die.

There is hope. Just in the past few months, more websites and apps have started to let you ditch your password entirely. Instead your phone, fingerprint or face are proof that you are you.

Technologists have been promising a password-less future for a long time. This won’t happen soon. But internet security is broken beyond repair. We need to move past the password.

In the meantime, you are a security star if you take just one of these steps:

Aim for longer password phrases

To create the best password, try to make it at least 16 characters. The more characters, the more time hackers need to guess your password. Don’t worry so much about having a bunch of symbols, capital letters and numbers.

Security experts recommend using memorable phrases as passwords, with a twist. If you like nursery rhymes, try the password, “L1ttleMi$sMuffetSatOnATuffet,” with a number and symbol replacing a couple of letters. Or mush together four words into nonsense like “TumblerElbowMerinoWoodpecker.”

Not every online account lets you set up passphrases like that, because of requirements derived from obsolete government security guidelines.

Again, there is too much individual responsibility and blame on you. You know you’re not supposed to create easy-to-guess passwords like “RedSox04” or reuse your passwords on multiple sites. But no human can invent and remember hundreds of complex passwords.

Try to prioritize by creating strong passwords or passphrases for your most important accounts such as email, financial accounts and password managers. (More on them in a minute.)

The ultimate guide to secure passwords

Consider two-step authentication on your important accounts

Needing a password plus a second step to log into an account — such as a code that is texted to you — protects you much better than logging in with just a password.

If you can manage it, add two-step authentication to your essential accounts like email, social media and your bank accounts.

This is common online security advice that most people don't take. Don’t blame yourself. It takes work and not all online accounts let you use two-step authentication. (This website lets you look up the options for websites and apps you use.)

Using a dedicated app for one-time codes like Authy, Microsoft Authenticator or Google Authenticator is more secure than receiving codes by text. But don’t get too hung up on those details.

The Online Security Reset Guide: Keeping you safe from scammers, hackers and digital threats

Use a password manager if you can

There’s a reason my colleagues have repeatedly recommended password managers. Services like 1Password and Dashlane generate strong passwords on each of your accounts, store them in a digital lock box and fill them in automatically when you’re on websites and apps.

You create a single password to your password vault, and these services save the rest.

Password managers aren’t foolproof. I’d also rather scrub my bathtub than set them up. But they are a smart investment in your online security.

I have used Dashlane for years, and while it’s not cheap — I pay about $65 a year — I find it easy to use and worth the peace of mind. It also delights me by typing in passwords and credit card numbers automatically.

As a backup to memorizing my Dashlane passphrase, I have it written down on two slips of paper, one that I keep in my desk drawer and another in my wallet.

If you’re thinking, what if a thief steals my wallet and has access to all my passwords? Is it safe to store all your passwords in one place? Nothing is zero risk. But anything you do with a password manager is probably a security upgrade. Please don't try to be perfect.

Read more advice on how to get started with a password manager or alternatives like saving all your passwords in a notebook. That’s great, too! (Some of these tips are outdated, but the basics still stand.)

6 easy fixes to avoid tech headaches in 2023

A caveat about LastPass

LastPass, one of the better-known password management services, recently disclosed that hackers stole copies of usernames and passwords.

LastPass told customers that they’re probably safe because essential information including passwords was scrambled. That makes it harder for crooks to make sense of what they stole.

But Chester Wisniewski, an internet security researcher with the firm Sophos, told me that he's alarmed about years of red flags with LastPass. He recommended that users consider switching to an alternative.

Wisniewski said he feels confident in password managers 1Password, Bitwarden and Dashlane. (Here are instructions from 1Password, Bitwarden and Dashlane to switch over from LastPass.)

I asked LastPass representatives to respond to Wisniewski’s advice. They pointed me to the company’s recent blog post.

Wisniewski also said that LastPass might still be a good option for you. An alternative like using your child’s name as your password is far less secure.

The future you want: No passwords

Have I mentioned that the system of passwords is dumb and you can only do so much to protect yourself in this broken system? Yes?

Here's where things start to get promising.

Some companies, including Microsoft, Best Buy and PayPal, have started to give you the option of accessing your account with no password.

This isn’t totally novel. Some apps let you log in with just with your fingerprint or face scan — but it mostly works on your phone. You still have a password somewhere. Now imagine you use your phone or other device, finger or face scan as the sole way you log in everywhere.

Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That’s it.

Hacks and data breaches are all too common. Here’s what to do if you’re affected.

Microsoft told me that nearly half a million people have removed the password from their accounts and opted to log in without a password.

This password-less system, which the technology industry is calling “passkeys,” is now baked into Android phones, iPhones, personal computers and major web browsers.

For now, going without a password isn’t seamless. When I created a PayPal account in the iPhone app and confirmed I wanted to use iPhone’s FaceID to log in, I still needed to create a password. Still, the technology is getting there.

It’s worth rooting for passkeys to kill the password system for good, although this will take many years.

Security experts told me that passkeys, which use proven cryptography practices, are more secure than the password systems in use today. Hackers also can’t steal passwords or trick you into giving them away if there are no passwords at all.

Even better, it’s simpler to access your accounts with just your device, finger or face. It’s not a problem if you lose your phone or computer. And logging in without a password will become easier over time.

If your accounts give you the option of the password-less log in called passkeys, definitely try it.

I usually roll my eyes when I hear that magical technology will fix a broken existing technology. In this case, yeah, passkeys might be the magic fix.

You can make yourself safer within the stupid password system we have today. But it’s even better to end the tyranny of passwords forever.


One tiny win

After speaking to online security experts for this piece, I realized that I could make a couple of changes to improve my password practices, too.

With the help of Dashlane, I made longer passwords to my Google account and my financial accounts. I also replaced the 10-character Dashlane password with a 20-character passphrase of four mushed-together words.

I have known for a long time that I needed to make a stronger Dashlane password. I just didn’t do it. Give yourself a break. Everyone can benefit from a small security improvement or two, and it’s never too late to start.

Brag about YOUR one tiny win! Tell us about an app, gadget or tech trick that made your day a little better. We might feature your advice in a future edition of The Tech Friend

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.

Loading...