Why passwords still matter
Despite the rise of advanced authentication systems (biometrics, passkeys), passwords remain the most widespread authentication method on the web. Every year billions of credentials are stolen in data breaches and sold on the dark web. A weak or reused password is the favourite entry point for attackers.
Characteristics of a strong password
- Length: at least 16 characters (20+ is better)
- Complexity: uppercase, lowercase, numbers, and special characters (!@#$%)
- Uniqueness: a different password for every account (never reuse)
- Unpredictability: no dictionary words, names, dates, or obvious patterns
- No personal information: never name, surname, birthday, or pet name
The main attack methods
- Brute force: tries all possible combinations; ineffective against long passwords
- Dictionary attack: tries dictionary words and common variants (P@ssword1, etc.)
- Credential stuffing: uses stolen credential lists from other data breaches
- Phishing: tricks users into entering their credentials on a fake site
- Keylogger: malware that records keystrokes
Password managers: the practical solution
Memorising a unique, robust password for every service is humanly impossible. Password managers (Bitwarden, 1Password, KeePassXC) generate and store random passwords for each site, requiring you to remember only one strong master password. They are the solution recommended by all security researchers.
Two-factor authentication (2FA)
Even the best password can be compromised. Two-factor authentication adds a second layer of security: even if someone knows your password, they cannot access your account without the second factor (OTP code from an app such as Authy or Google Authenticator, or a FIDO2/WebAuthn hardware key).
Avoid SMS-based 2FA where possible: SIM swapping attacks allow SMS messages to be intercepted. Always prefer TOTP apps or hardware keys.