Passwords Revisited

Revised May 2026

Better Passwords to Survive Modern Hacking

Given enough time, All Passwords Can Βe Ηacked. This guide can help you choose passwords that a hacker won't crack in a lifetime!

What's My Real Risk?

Most people mistakenly believe they are not likely targets for hackers.
But You Are The Target… and so is everyone else!

Hackers target all accounts because they don't know how much money is there until they get in. At that point, it's free money for them no matter the amount.

All computerized systems are hackable, even bank accounts of people who don't use online banking. Financial institutions use computer systems for all accounts, including checking, savings, retirement and brokerage accounts, and debit cards tied to any account.

Who are the Bad Guys?

Americans Are Perfect Targets
Crimes against U.S. accounts are rarely prosecuted if committed by someone in another country. The average American has more personal wealth than 90% of the World's population, so all Americans look like profitable targets.

A Brief History of Passwords

Understanding how we got to our current sorry state with passwords helps explain why and how we need to update our passwords to survive current risks.

First Computer Password Hack
In the 1960s, mainframe computers used passwords to limit users' time. The first computer password system hack was someone who figured out where the system's Passwords file was stored, and printed it so he could login as anyone and use their time as his own. Obtaining a system’s password list is now known as a Data Breach.

Auto-Logins
It’s still fairly common for personal computers and even phones to auto-login without requiring a password. That gives anyone who turns it on access to its email accounts, files, apps, and passwords. Apple warns that any computing device using "auto-login" has No Security At All.

Passwords Come to the Internet
Internet services and computer systems now use passwords to access email, banking and retirement accounts, and many other online services. When setting up a new account, one is asked for a User Name (email address) and a Password. Extremely short passwords were common on the early Internet. It was just something to show it was you, and, one hoped, it wouldn't be guessed by anyone pretending to be you.

Passwords Before Rules
Most people picked simple passwords to be easy to remember, such as 123456, password, monkey, iluvyou. Even a simple "hello" would do. Occasionally, some rebel would pick "I am the Walrus!" — which is actually fairly strong. (It isn't good, but it was much stronger than most passwords back then.)

Early Systems Administrators assigned short messy passwords — M[sXP# — to manage entire web servers and email systems, believing these would be hard to guess. In 1999, I was assigned a 6-character password which controlled full access to all of my websites and email systems. Its only protection was being hard to guess (and equally hard to remember).

Early Password Rules
In 2003, as Internet use exploded worldwide, the National Institute of Standards and Technology (NIST) commissioned William Burr to prepare a report which became the go-to reference for business and government password policies. Burr’s guide was entirely speculative because there was no data on passwords available to study. His conjectures were reduced to a small set of recommendations:

  1. Passwords should have at least 6 (or 8) characters.
  2. Passwords should not use only lowercase letters.
  3. Passwords should be changed regularly and not be reused.
  4. Passwords should not be written down, but memorized.

Turning his recommendations into rigid rules had unintended consequences as people struggled with creating and recalling passwords for their ever-growing numbers of online accounts.

The Hollywood Hacker Fantasy
Contrary to the movies, no modern hacker ever attempts to guess a password unless they find one written down on a Post-it note! Their computer can run password attacks a million times faster than using a keyboard.

Hackers Grow Up
In the good old days, most people’s biggest security worry was that a neighbor kid would use their broadband connection. But suddenly, international criminals were digitally raiding bank accounts, and the password rules weren't stopping them. In fact, 15 years later, NIST’s author, Bill Burr, publicly apologized for the mess his password rules caused, saying: Much of what I did I now regret.

Hackers now harness computers to automate hacking. It's faster for a computer to run 100-Million possible passwords than to manually type a single password. Being guessable has become irrelevant.

Even now, Password Guessing is still what many people mistakenly fear about hackers. They hope that a password no one will guess is safe, but it's not!

The question has become: Is it hackable?

Every Password is Hackable

Given enough time, all passwords can be hacked. With Time as the critical element, hackers have developed new techniques to discover passwords quickly.

Here are some of the most common password attacks:

  1. Credential Stuffing
  2. Password Spraying
  3. Dictionary Attacks
  4. Brute Force Attacks

Tens of billions of passwords have been exposed in data breaches. Hackers have lists of them to use in attacks, running billions of passwords in just a few seconds. (Ain’t computers great?)

Credential Stuffing
According to security researchers, Credential Stuffing generates more internet traffic than all other internet uses combined. One server is targeted rather than a specific user account. Billions of Account Names and Passwords from past data breaches are digitally stuffed at the server to see which ones match. Enough matches occur to reward these attacks. If you have reused a password on more than one account, it will eventually end up in a Credential Stuffing attack.

Password Spraying
This is a fast attack where the hacker tries just 1000 or 100,000 of the most common passwords against a group of known accounts. It unlocks most accounts because most people choose a password with no idea how common it is!

Dictionary Attacks
These use compilations of All the Words. Even with hundreds of languages, the number of different letter combinations spelling actual words is only about 6 billion — fewer than a list of all Breached Passwords. These dictionaries are sold and traded among hackers. Substitutions for some letters (numeral one for a lowercase L, 4 for A, $ or 5 for S or s, etc.) are so predictable that hacker dictionaries include them. Dictionary attacks work against passwords based on a single word of any length.

Brute Force Attack — BFA
The BFA is a hacker’s last resort, but it is fully capable of cracking every possible password! It runs all combinations of keyboard characters from the shortest allowed by the password rules, up through longer and longer combinations until it finds the one that works. BFAs eventually find any and all passwords unless the hacker runs out of Time! You need a password that is too long to find before the hacker moves on to easier victims. Most people pick passwords that don't take long to find, making them the "low-hanging fruit" on which hackers feed.

Password Rules to Survive Modern Hacks

In our brave new world, we need passwords that won’t be found using any of these attack methods in the time a hacker can commit to the attack.

The password rules of 2003 encouraged people to pick passwords that will be cracked in seconds by modern attacks; after all, hackers devised these attacks based on how people responded to the old rules!

New rules must meet the old requirements still used in most systems, but these new rules can also fend off modern attacks.

  1. Never reuse any password, ever!
  2. Always include all 4 character types.
  3. Password length should be as long as possible.
  4. Use only unique passwords.
  5. Keep a record of your passwords.

These are all different than the old rules, so some explanation is needed.

Never reuse any password, ever!
No matter how strong you think your password is, use a different password for each and every account. If you change a password, don’t pick one you’ve ever used anywhere, even if you no longer use it elsewhere. This reduces the risks from attacks using previously breached passwords.

Include All 4 Character Types
Using all 4 character types — uppercase, lowerecase, numerals, and symbols/punctuation — ensures that a Brute Force Attack will take much longer than with just numbers or lowercase letters. The more key combinations used, the longer it takes to try them all.

For example, hacking a 12-character password takes about 1 second if it’s all numerals (10 keys), or 15 minutes if it’s all lower case letters (26 keys). However, if all 4 character types are included (that's 95 possible keys), it may take years to crack!

Making a Brute Force Attack take way too long is our only defense against that attack. Time matters, which leads into our next rule…

Password LengthAs Long As Possible
With current computer speeds, anything less than 15 characters may already be too short to be safe in some Brute Force Attacks. Make your passwords as long as you can stand. In 2003, the minimum recommended password length was 6; by 2010 it was 8; in 2020 it was 12; and by 2024 it was 15 or 16. That minimum length will keep increasing because computers keep getting faster. As I revise this in 2026, my recommendation is over 20 characters.

Future-proof your passwords now by making them significantly longer than the minimums, and review your passwords annually to be sure they still exceed recommendations.

Use Only Unique Passwords
This is an expansion of the first rule — never reusing passwords — but putting it on steroids — never reuse anyone else’s passwords either! This requires some explaining because nobody knows all of the passwords ever used.

Death of an Almost Unique Password
Imagine you’ve come up with a 25-character password that you’ve never used before. It has all 4 character types and doesn’t look anything like a dictionary word. Now suppose that just by chance that same string of characters was used just once, anywhere on earth, by someone else, and later that server's passwords were stolen. So now that exact password is waiting in some hackers’ attack kit, ready to open your account the second it's targeted!
Your perfect password just died, and nobody told you.

How do you avoid a password that someone else might have used or might pick in the future? This requires truly unique passwords.

What is Unique?

  1. Unique means one-of-a-kind — unlike any other.
    It’s an absolute quality. A thing is either unique or not unique. There is no sliding scale. "Nearly Unique" really means Not at all Unique!
  2. Unique is Not Random
    Though often used interchangeably in password discussions, Unique & Random have nothing to do with each other. Picking something randomly does not make it unique. For example, computer-generated random numbers repeat frequenty. They are numbers with a predictable sequence, so no number is unique no matter how randomly chosen. Similarly, randomly generating a password does nothing to assure uniqueness. Any method can generate a value that is unique to that system, but nothing can assure that no other method can ever generate that value.
  3. Words are never unique. Substituting numbers and symbols for letters won’t help because the human mind does pattern recognition. Many of us will choose the very same substitutions, making them predictable instead of unique. Cleverness can't create unique passwords with dictionary words and substitutions.
  4. Phrases and lyrics are not unique. They are organized words. Consider these examples:
    • “Great minds run in the same ruts.”
    • "Mary had a little lamb."
    Lyrics and phrases are never unique! You need something less predictable than a phrase you already know to avoid duplication on a world-wide scale.

Beware of Entropy
Entropy creeps into most password discussions or I wouldn't mention it at all. The more chaotic anything is, the less likely it may be to repeat… maybe, possibly. Entropy is the name for that chaos. However, nobody agrees on how to measure it. When you see Entropy in a password discussion, just remember that it's not objectively measurable and move on to the next paragraph… like I'm doing now.

While there is no guaranteed recipe for uniqueness, there are ideas to help craft unique passwords.

Attempting Uniqueness

  1. Pick two or more unrelated words — not a phrase, not song lyrics, not a quote or saying — but words that you cannot imagine being used together. Don’t assume these words are unrelated — you’ll usually be wrong. After all, something made you think of them together.
  2. Search for your words together on the internet to make sure they aren’t used together. When you finally find words that don't return any search engine results, you’re ready to go. (You may have to misspell one or more words to get this far.)
  3. Now slap them together with a symbol, punctuation, or number separating them, then stick another character type at either or both ends. Capitalize one or more of the letters, but not at the start of a word.

You should now have a password containing all 4 character types that you’ve never used before (and won't ever use again), with a strong probability that nobody else will either. You’ve given it your best shot, so it's ready to use — unless you want to make it even lo-o-o-o-onger.

Longer is always a good improvement. (If your new password is still under 20 characters, add a repeating letter to the backend.) Making any password longer improves its resistance to Brute Force Attacks.

You’ve Come a Long Way

We’ve moved your passwords from monkey to something more like: filBerg2bargainst_sfff*.

Is there any way to guarantee that nobody else will ever come up with that same text string to use as a password? No, but it’s far less likely if you follow the suggestions above.
 

WARNING!  Do not run your final password through any Search Engine or A.I. system to test or check it! Those searches and prompts are being used for A.I. training, so testing your password there will make it part of some A.I.'s training data eventually available to everyone else on Earth!

Record Your Passwords!

That old rule about memorizing passwords and never writing them down encouraged people to do dumb stuff like choosing passwords that were as short as possible, picking easily-memorized passwords, and reusing them. Now we can securely and easily use Password Managers to keep track of Passwords that are far too long and messy to memorize.

If you can actually memorize all of your passwords, you have either a rare and remarkable memory or remarkably awful passwords. Use a password manager.

Well-reviewed Password Managers:

  1. iCloud Keychain — the Passwords App on Apple devices
  2. 1Password from AgileBits Inc.
  3. BitWarden from BitWarden.com
  4. Dashlane from Dashlane Inc.

    The list above is not exhaustive nor an endorsement, just a good place to start.*

The first is included in Apple's iCloud system for all Apple computing devices. It even handles PassKeys. The next two are the most-frequently mentioned by techies as their personal favorites, but people tend to recommend the one they currently use as long as it works for them.

Review them all to see what they offer and compare any fees. They are available online and in Apple’s App Store, and they can be setup to work across multiple computer platforms and devices.

* Older versions of this document also listed LastPass and RememBear. They were removed early in 2023 because LastPass had a major security breach, allowed weak encryption, and lacked transparency in reporting their breach. RememBear was discontinued that year.

 
Beyond Passwords — What More Can We Do?

There are several ways to secure your accounts beyond what passwords alone can do:

Two-Factor Authentication
2FA generally relies on one-time codes sent by text message or email that a user must re-enter to verify they control the email or phone number associated with the account. Though not foolproof, 2FA is a huge security improvement over passwords alone. 2FA stops over 99% of attacks where the password is hacked because the hacker won't get the code to validate login. If your account offers 2FA, USE IT! If any of your financial institutions don't offer 2FA, complain and/or change companies. 2FA is essential security on any financial account.

PassKeys
PassKeys use 2 separate bits of code — one on the server and one on the user's device — which must both be read for the account to unlock. A hacker who manages to steal either code still cannot access the account. PassKeys are activated biometrically. Someone other than the device owner cannot use a device for access because of the biometric controls. PassKey technology is not universally available. It is mainly being added to existing password systems, which will remain vulnerable until the old password systems are disabled. That's not happening yet.

Authenticators
These are special Apps and security-dongles which provide a coded response to verify its legitimacy when connecting to a server. Authenticators are used by some businesses to restrict access to employees with the dongle or app. Some Authenticators are customizable by users, while others are preset by the issuing company. With Authenticators, access to the system resides with the hardware device or dongle, not the user.

Are We There Yet?

Probably not. Artificial Intellligence & Quantum Computing are coming right at us.

Artificial Intelligence
A.I. has given hackers new tools to predict the most likely combinations of characters people will choose for passwords. Having been trained on billions of known passwords, A.I. systems may speed up any attack type to take less time than it does now.

Quantum Computing
QC has been in development since the 1990s. It has been described as "highly likely in the next 2 years" for most of the last 25 years. QC processors are often described as being capable of multiple operations in the same instant, rather than so many per second, as current processors are measured. Attacks which currently take an hour might theoretically take only seconds with Quantum Computing. There will be upper limits to Quantum speeds, but nobody knows what those may be. Quantum Computing seems to be getting faster without getting any closer — still described as very likely in a few more years.

Final Thoughts

Password Security remains a moving target. Do your best, protect yourself,

"…and remember, Don't Get Caught!"
The Scarlet Pimpernel

 
Revised May 2026