Passwords are an integral part of our everyday routines. Whether it’s logging in to your work account, watching Netflix, or paying bills – there’s an account for everything. And what are these accounts secured with? Passwords!
Passwords have been around for far longer than one might expect – since 1961. However, many forget that cybersecurity advice has an expiration date. Some of these myths were standard practice 10 years ago, but have faded into obscurity with technological advancement.
Luckily, technology has also made it easy to generate strong passwords and securely store them via password managers. Adding an extra layer of security to your online accounts is now easier than ever, yet users still trade security for convenience. For example, some of the most common passwords are still 123456, 123456789, and 12345678 – these kinds of predictable passwords can be cracked instantly.
People prioritize usability over security – and even privacy – often without understanding the implications of weak password habits. Reusing the same password and skipping 2FA may save time, but it’s putting your sensitive data at risk.
Myth: the longer your password is, the more secure it is
- Fact: While length is an important factor when creating passwords, long passwords without uppercase and lowercase letters, numbers, and special characters are easier to crack.
In fact, according to research by Hive Systems, a 12-character password made up of only numbers – the minimum length for strong passwords – can be cracked in just 4 days. Now, let’s take that same password and mix the numbers with lowercase letters – it would take almost a thousand years to brute-force the password.
It’s important to note that if your password uses dictionary words, it can be cracked almost instantly. Plus, brute-forcing is one of the slowest methods someone can use to crack your password.
Of course, a brute-force attack is just one of the hundreds of password-cracking techniques employed by malicious hackers. Other, more sophisticated methods can be faster and more efficient.
The same goes for short passwords with uppercase and lowercase letters, numbers, and special characters. You need to follow all of the rules to create a strong password. So, what makes a strong password?
Last but not least, each password must be unique. Reusing passwords is an online security hazard, and if compromised, it can put all of your online accounts at risk.
Myth: you should change your passwords regularly
- Fact: If you have a strong password and it hasn’t been in any data breaches (that you know of), there is no reason to change your password – it will add no value and no added security.
Regularly changing your passwords was once a standard cybersecurity practice. However, the National Institute of Standards and Technology no longer recommends enforcing periodic password changes unless the account has been compromised.
In fact, forcing users to change their passwords every few months can actually lead to weaker passwords. According to the National Cyber Security Center, users may opt for easy-to-remember passwords (which can be cracked in seconds with modern password cracking techniques) or simply change one character in their old password, enforcing predictable behavior.
I recommend changing your passwords after a data leak. You can check if your login credentials have been leaked by going to Have I Been Pwned or signing up for a password manager with a data breach scanner.
Myth: you don’t need 2FA if you have a strong password
- Fact: 2FA adds a second layer of security in case your password has been compromised.
Complex passwords won’t protect your accounts from social engineering attacks like phishing, which lull users into revealing sensitive information themselves. With social engineering getting more and more sophisticated, it’s becoming easier than ever to fall for it.
Remember, no one is too smart to get scammed. While the elderly are more likely to fall for online scams and lose money, younger adults are not invulnerable. According to Deloitte, Gen Z is three times more likely to fall for online scams, and, in turn, lose access to their social media accounts and have their identity stolen, compared to baby boomers.
When you have 2FA in place, malicious hackers need more than just your password to get in. So, even if your password gets compromised, cybercriminals won’t be able to access your account without a second proof of authentication.
It’s important to note that 2FA is not foolproof. Push attacks are on the rise, and codes sent by SMS can be intercepted. Nonetheless, 2FA is a crucial part of an online security strategy, but it alone won’t make a big impact.
Myth: you need to create passwords you can remember
- Fact: Creating passwords you can remember usually means you’re compromising on security. It’s impossible to remember strong passwords as they’re too long and complex.
If you want to be able to remember your passwords, I recommend using passphrases. A passphrase can be just as secure as a complex password but actually easy to remember.
Passphrases are strings of random words that are separated by special characters. Otherwise, you should follow the same rules as when creating a strong password – at least 16 characters, uppercase and lowercase letters, special characters, and a random sequence of words. Don’t use common phrases, quotes, or sentences that make sense.
Here are some examples of strong passphrases:
- Pick-We-Needs6-Lamp
- Shake.Team.Driving1.Essential.Planning
- Swam?Whale?Arrow?Including?Free?Ability7
Weak passwords make it easy to gain unauthorized access to your online accounts. From there it can start with impersonation (sending malicious links/malware to your friends, infecting their accounts), which can damage your reputation. Unauthorized access to personal information or photos can take a darker turn, with malicious hackers demanding payouts, resulting in financial loss and negative impact on mental health.
Myth: never write down your passwords
- Fact: Writing down passwords on a piece of paper only poses a risk if it’s easily accessible by other people.
You obviously shouldn’t carry a notebook with all of your passwords inside. Ideally, your written passwords will be stored somewhere safe in your home and away from your laptop, serving as a sort of backup if you forget your passwords or lose access to your password manager.
Keep in mind that this doesn’t apply to writing down your passwords in your notes app or excel sheet. In case your device is compromised, which is far more likely than someone stealing your notebook, your login credentials will be too. For daily use, I recommend using a password manager, which stores your passwords in an encrypted vault.
How hackers actually crack passwords
Cybercriminals don't sit around guessing passwords manually. They use advanced password cracking techniques. Some examples include brute force, which can cycle through billions of combinations in seconds, and credential stuffing, which is particularly dangerous for those who reuse passwords. Social engineering attacks, like phishing, are also becoming more prevalent, especially with the rise of AI.
Weak passwords are significantly more likely to appear in data leaks. However, if the website was compromised, even strong passwords can be leaked. The latter is usually through no fault of the account owner, but rather the website’s security measures.
While you can’t control the environment, you can take the necessary steps to protect your online accounts. Using strong passwords is just the first step. Make sure you enable 2FA and practice cyber hygiene to minimize the risk. Keep up with the latest online scams and stay vigilant.
Passwords in the age of AI
AI took off in 2022, when tools like ChatGPT became open to the public. A year later, researchers found that AI can guess passwords by the sound of keystrokes alone.
But you don’t need a university degree to utilize AI. Simply open ChatGPT or DeepSeek and let the games begin. According to TrendMicro, cybercriminals use jailbroken LLMs to request fraudulent prompts and find vulnerabilities, generate malware code, and create phishing emails.
In 2024, the FBI warned users to be vigilant as cybercriminals were relying on AI to run sophisticated social engineering attacks and even voice cloning scams. One unfortunate case happened in early 2024, when an employee at a Hong Kong company was tricked into transferring 25 million dollars to scammers who were impersonating his employers with deepfake technology.
A lot of AI-related cybercrimes are focused (but not limited to) on social engineering rather than cracking a database. In these situations, it’s crucial to practice cyber hygiene and stay hyper-vigilant, especially before making big decisions like transferring money.
Will passwords become obsolete?
But why are weak passwords such a big deal? With biometric authentication and passkeys, aren’t we moving toward a future without passwords? While the use of fingerprint and facial recognition is widely adopted, especially on smartphones, they currently don’t replace passwords and are mainly there for convenience.
Passkeys, on the other hand, show promise in replacing passwords. They’re more secure and immune to phishing attacks, which contribute to 91% of all cyberattacks. Nonetheless, some are concerned about account recovery in case of device loss as well as support and compatibility. Passkeys are still in the early adoption stages, and as more and more people start using them to secure their accounts, these issues are bound to get resolved.
Whether you like it or not, passwords are here to stay for the foreseeable future. For the time being, make sure you use strong and unique passwords, enable 2FA, and follow basic cyber hygiene.
Your email address will not be published. Required fields are markedmarked