Importance of Strong Passwords

Most people have been conditioned to create weak, easy-to-remember passwords—often reused across multiple sites. This makes them easy targets for attackers using automated tools or stolen credentials.

• Length matters: The longer the password, the harder it is to crack. Aim for passphrases or generated strings that are at least 12–16 characters.
• Uniqueness is critical: Use a different password for every account. This limits the damage in case one service is compromised.
• Use a password manager: Tools like 1Password can generate strong, unique passwords for every login and securely store them.
• Enable two-factor or multi-factor authentication (2FA/MFA): Always use 2FA when available. Prioritize app-based authenticators or security keys over SMS. Or better yet, use SSO or Passkeys in combination with MFA/2FA to get the strongest form of authentification.
  • Passkeys are on their own a great replacement and does not require MFA/2FA or even a password. See Security > Passkeys
  • See 1Password > Multi-factor/Two-factor authentication on how to use 1Password to setup MFA/2FA for an account.
• Keep passwords private: Never share your passwords, even with colleagues or IT support.

Strong password hygiene is one of the simplest and most effective ways to protect personal and organizational data.

Single Sign-On (SSO)

SSO (Single Sign-On) allows users to access multiple applications or systems with one set of credentials. This improves user experience and can enhance security when properly configured, as it centralizes authentication and makes it easier to enforce strong policies like 2FA.

It is a strong alternative to logins using passwords and passphrases.

However, if an SSO account is compromised, access to many connected systems may be at risk. This makes securing the primary SSO login—using strong passwords and MFA—especially important.

See Security > SSO (Single Sign-On).

Passkeys

Passkeys are a modern, passwordless authentication method based on public key cryptography. Unlike traditional passwords, they don’t rely on shared secrets, making them highly resistant to phishing, credential stuffing, and other common attacks.

Authentication typically uses biometrics (like Face ID or a fingerprint) or a trusted device to confirm identity.

This is currently one of the most secure ways to log into websites and services, and should be used in place of traditional passwords or even SSO where possible.

Passkeys are built on open standards developed by the FIDO Alliance (Fast IDentity Online), established in 2013 to promote simpler and stronger authentication technologies. The alliance's mission is to reduce the world's reliance on passwords and protect users from credential-based threats.

In 2022, Apple, Google, and Microsoft jointly committed to supporting passkeys across their platforms and browsers. Apple introduced passkey support with iOS 16 and macOS Ventura, while Google and Microsoft began rolling out integration through Chrome and Windows.

As adoption expands, passkeys are expected to gradually replace traditional login methods, offering both stronger security and a more seamless user experience.

See Security > Passkeys.

See Passkeys.directory for a list of websites, apps, and services that offer signing in with passkeys.

Tips for Remembering Long Passwords

• Make a melody using the words
• Group words into meaningful pairs
• Visualize a sequence of vivid images
• Use a memorable sentence or phrase as the base
• Mix in numbers or symbols that relate to the words
• Passwords can always be changed — aim for 40 characters or more

Artificial intelligence

A new advanced approach to cracking passwords (PassGAN) using AI has been used to see how fast it can decrypt them:

• 51% of passwords can be cracked under 1 minute. That includes those made up to 12 numbers, and those called complex composed of 6 characters.
• 71% were inside a day, that includes those made up of 15 numbers and those called complex made up of 8 characters.
• Passwords containing 16 lowercase letters would take 23,000 years. With only numbers, 2 days. With 18 letters, 22 million years.

Impacts

A recent survey from passwordmanager.com published in April 2023 with 1,000 US workers found that:

• 47% admit to using employers’ passwords after leaving the company
• More than 1 in 4 are currently using passwords to access paid subscriptions
• Only 1 in 7 say they’ve been caught using former company passwords
• 1 in 10 say they use past employers’ passwords to disrupt company activities

Another survey with business leaders found that 74% of them reported suffering damages from former employees who exploited their digital access.