Home of internet privacy

6 common misconceptions about passwords

We all need passwords. They are by far the most used form of authentication, not only on the internet but also on the telephone, at the cash machine, for opening the safe, and even to take books out of the library.

Bad advice about passwords is easy to come by. Many institutions, especially banks and government departments, are notorious for arbitrarily restricting passwords. The reasons for doing so may be of varying nature.

As a rule of thumb, it is probably a good idea to be suspicious of any site that places restrictions on your password other than a minimum length, as there are no good reasons to.

Major misconceptions we commonly read about

1. Passwords are secure

Passwords are not insecure compared to all of the other options such as phone numbers, government ID, or biometrics. But they are still the top authentication method, especially when enhanced with two-factor authentication. But be careful, not all two-factor techniques are the same!

Here is what we expect from a good password:

2. Passwords don’t have a maximum length

When handled properly, passwords can be as long as they need to be. A service would usually hash and salt your password and only store the hash, meaning there’s no need to worry about the length. Although your password becomes exponentially more secure the longer it is, 17 characters or more is generally enough. But if you are encrypting highly sensitive data, for example, your personal files or Bitcoin wallet, you are better off with 23+ characters.

3. All that matters is the length

As the ExpressVPN password generator demonstrates, a password becomes much more secure with added length than it does with more diverse characters.

4. Passwords can include anything

While not all sites might accept them, your password can literally be anything. No matter if it’s non-Latin script, rarely used Unicode, or even emojis, if you can type it, it’s a valid password.

Use the ExpressVPN password generator to create unique and random passwords. You can also use it to get a feeling for how long or random a password should be, or how adding new characters changes the security of your password.

5. Passwords are not supposed to be memorable

There’s really no need to remember more than two or three passwords—because there’s an app for that.

Password managers are a great example of how security tools can make your life safer and more convenient and will generate and store secure and strong passwords without you having to worry about remembering them, ever. Some will even automatically fill your passwords into your websites, protecting you from phishing or accidentally typing them elsewhere, like your Facebook status, for instance.

The only passwords you should have to remember are the password to your computer and the one for your password manager.

6. Passwords are not on their way out

While there may be many attempts to replace the password with something else, we currently have no idea how to do that securely.

Biometrics like facial recognition or fingerprints hugely lack in security, and while they may be useful in identifying you, they are not useful for authentication. Asymmetric cryptographic keys could be part of a way of a new system, but they might still be susceptible to man-in-the-middle or phishing attacks.

Don’t worry, it’s easy to mitigate password hack risk

The internet might sometimes seem like a scary place, but with some caution, common sense, and some helpful tools, it is easy to avoid even the most serious of threats.

  1. Make sure your computer and phone are always up to date
  2. Use a password manager to store strong and unique passwords
  3. Exercise caution when clicking links in emails or sites. Save sites you commonly visit as a bookmark