Happy World Password Day! It’s 2025, and much to the frustration of both security experts and the general public, we’re still reliant on passwords.
Remembering and entering passwords for the multitude of connected devices and online accounts we have is quite inconvenient. Additionally, they can be breached, with advancements in technology such as artificial intelligence tools making it easier for hackers to either guess or steal them.
Innovations like passkeys and password managers could greatly minimize the necessity for passwords in our daily lives, but the challenge is that these solutions have not been widely adopted by many companies or consumers, noted Mike Kosak, a senior principal intelligence analyst at LastPass.
“There’s a lot of comfort involved,” Kosak stated. “People have become accustomed to [passwords]; they are straightforward to implement and authenticate.”
However, despite the discomfort that comes with change, transitioning to passkeys would be beneficial. Specialists assert that they provide a superior user experience compared to passwords while eliminating the dangers associated with weak, reused, and compromised passwords, along with phishing scams.
What better time to advocate for this change than on World Password Day, which occurs on May 1 this year? This holiday, created by Intel in 2013, serves as a reminder to reassess your logins and ensure they meet the necessary security standards.
Until passkeys or another innovative solution becomes the norm, it’s essential for us to do our best in creating strong passwords. This includes utilizing long, random, and unique passwords for every single account. Although this can be challenging for most individuals today, a reliable password manager can assist with that.
Password managers store your passwords, requiring you to remember only one master password to access your stored passwords.
While it may feel risky to consolidate all your sensitive logins in one location, experts like Iskander Sanchez-Rola, director of AI and innovation for Norton, argue otherwise.
“You’re not putting all your eggs in one random basket; you’re securing them in a titanium vault surrounded by lasers and a moat,” Sanchez-Rola explained.
You’ll still need to recall at least one password, even if you’re using a password manager. Fortunately, a bit of effort can significantly enhance the quality of your passwords and protect your data. Here are several tips for creating effective passwords.
Longer passwords are preferable. Aim for a minimum of 16 characters, as this length greatly reduces the threat of being cracked by password-cracking software. Random character sequences are ideal, but passphrases—such as a series of three unrelated words—can also suffice in many cases. Adding special characters, like symbols or punctuation marks in the middle, is advantageous.
Keep in mind: If you choose a passphrase, ensure that the words are meaningful only to you and do not reference important details. For instance, “Red Sox Rule” might show team loyalty but lacks security as a passphrase. Avoid using birthdays or other significant dates, as cybercriminals can easily uncover them. Be cautious with song titles and famous quotes as well. Steer clear of cliché substitutions, like using @ for “at” or “a,” and $ for “s.”
Avoid the urge to reuse passwords. Even robust passwords can be stolen and compromised. To minimize risks, ensure you use distinct passwords for all your accounts. This might seem overwhelming, especially since we recommend 16-character or longer phrases.
As mentioned earlier, consider using a password manager for assistance. There are both free and paid options available, and many web browsers can help with this task, though they may not always synchronize across all your devices.
Sanchez-Rola points out that password managers can alert you to spoofed websites. If you click on a link in an email that appears to be from your bank but redirects you to a phony site, your password manager won’t automatically input your login details.
Embracing change can be beneficial. Most experts currently agree that it isn’t necessary to change passwords regularly. However, they all concur that you should update them immediately if there’s any indication of a breach. The rise of AI and automated technologies has made it easier for hackers to initiate mass attacks, Kosak warns, and individuals cannot afford to presume they won’t be targeted.
Furthermore, if one of your accounts is breached and you have the option to log out of all other devices, do so prior to changing your password, Koak advises. If you neglect this step, you might leave an intruder logged in, allowing them the opportunity to alter your password after you.
Log out of shared devices. If you access a communal computer at a cafe or sign into your Netflix account on a friend’s TV, ensure you log out once you’re finished, advises Sanchez-Rola. The next user of that device may not intend any harm, but you could face consequences if their security practices are not as robust as they should be.
Keep your personal information off social media. The more private details you share, the more cybercriminals learn about you. Those seemingly insignificant bits of information could be utilized to decode your passwords.
Always use two-factor authentication (2FA). If your password is compromised, having an extra layer of security will greatly assist in protecting you. Two-factor authentication, also known as multifactor authentication, is increasingly adopted by websites and requires anyone attempting to access your account to also input a second form of identification.
This could be a code generated by an authentication app, a biometric scan like a fingerprint or facial recognition, or a physical security key that you connect to your device. Yes, this may slow down your account access, but it’s a worthwhile trade-off for keeping your account safe. If 2FA is an option, take advantage of it.
One caution: If possible, steer clear of 2FA systems that send codes via text to your smartphone. SIM swapping, where a cybercriminal takes control of your phone number, is increasingly common. If a hacker seizes your phone number, they’ll also receive your 2FA text message.
You’re likely familiar with conventional strong password guidelines that appear every time you set up an online account. Use uppercase letters, numbers, and special characters while making it at least 8 characters long (or 10, or 12). These criteria aim to make it tougher for hackers to access your accounts. However, they don’t necessarily strengthen your password, according to researchers at Carnegie Mellon University.
Lorrie Cranor, director of the CyLab Usable Security and Privacy Laboratory at CMU, mentions her team has developed a better method, a meter that websites can implement to encourage you to create more secure passwords. Once you’ve created a password with at least 10 characters, the meter will begin offering suggestions, such as interspersing common words with slashes or random letters, to make your password tougher.
These recommendations differentiate the password strength meter from others that estimate password strength, often using color codes. The suggestions are not derived from a simple checklist, but instead adapt to common errors that Cranor’s team has noted people make while setting up passwords during various experiments conducted by the lab over several years.
One issue with many passwords is that they fulfill the security criteria yet are still susceptible to guessing because most individuals adhere to the same patterns, the lab discovered. If numbers are obligatory, you’re likely to append a “1” at the end. If capital letters are required, you’ll probably capitalize the first letter. And for special characters? Exclamation marks are often the choice.
CMU’s password meter will provide recommendations for enhancing a password like “ILoveYou2!” — which satisfies the standard criteria. The meter also delivers other suggestions based on your inputs, like reminding you to avoid using names or advising you to place special characters within your password.
“It’s pertinent to what you’re doing, rather than offering random advice,” Cranor noted.
In a study, participants generated passwords on a system that simply required them to input 10 characters. Following that, the system evaluated the passwords with the lab’s password strength meter and provided customized suggestions for stronger passwords. Test participants managed to create secure passwords that they could remember up to five days later. This method proved more effective than merely presenting users with preset rules or outright prohibiting known weak passwords (I’m looking at you “StarWars”).
Cranor and co-authors Joshua Tan, Lujo Bauer, and Nicolas Christin will share their latest password research in November at the ACM Conference on Computer and Communications Security, which is being conducted virtually. The team hopes that their tools will be implemented by website developers in the future.
In the meantime, Cranor advises that the best method to create and memorize secure passwords is to utilize a password manager. While these are not extensively used and have some trade-offs, they allow you to devise a random, unique password for each account and remember your passwords for you.