Skip to content

Passwords, Passphrases, and Passkeys

Published by YK Hong on May 4, 2025

How many accounts do you have that require passwords?

We have hundreds of passwords, if not thousands

Research shows that the average person has several hundreds of passwords. For each of those hundreds of accounts that need passwords, do you have a unique one for every single account? Many people re-use passwords. This makes sense, since we simply do not have the time or bandwidth to memorize every single password. In addition, it would be difficult to memorize hundreds of passwords, especially if they are as complex and unique as they should be. Why would we do that when we could use that time and energy to dismantle Empire instead?

We are humans amongst other humans

We’re trying our best, and with our very humanness, we tend to have similar behavior to each other. One of these behaviors is using the same password or some iteration of it across all of our accounts. There are even public lists online of top passwords that are used. Here’s a top ten list:

  1. 123456
  2. 123456789
  3. qwerty
  4. password
  5. 12345
  6. qwerty123
  7. 1q2w3e
  8. 12345678
  9. 111111
  10. 1234567890

Perhaps you don’t see yours here because these seem entirely too obvious. But when examining the lists that are top 100, top 200, top 1000s lists, we humans still tend to congregate toward similar patterns. Patterns that hackers recognize. For instance, while a number and word combination may seem random to a stranger, to a hacker they could deduce that it is a combination of a birthday plus name of a loved one. And unfortunately for us, many humans think this way. We tend to choose things around us to help us remember.

Even unique passwords get leaked

We want to try to NOT have our passwords be on any of those top password lists. These lists are often used by hackers to feed through systems to brute force their way into accounts. On top of this, even unique passwords, if involved in a breach, are now out there in lists available online

So what can we do? We need to use tools that will help us have better passwords.

I believe one day we will not have passwords at all because we’ll have secure controlled entry methods paired with tools like passkeys. Many platforms are already moving toward passwordless environments.

We need a combination of tools.

Password managers with passphrases

Password managers keep track of your hundreds of passwords so you don’t have to, which enables them to be more complex and random. The two big questions I get asked about password managers are: what if someone gets the password that you use to your overall password manager, and then what if the password manager itself gets hacked?

With a password manager, you only have to remember one excellent password. So make it a passPHRASE or even passSENTENCE. It can be long, intricate, unique, complicated, and robust. Extending a password to a passphrase or passsentence can increase the time required to hack an account by months and sometimes even years.

I counted how many passwords I have. I have over 1000 unique passwords. I do not know any of them by heart. My password manager allows me to have complex, random, and long passwords that I do not need to know. You should have passwords that you don’t remember (except for the one to access the password manager, of course) because they should be that complicated, unique, and robust.

Password managers specialize in encrypting your data, it is their entire job. Good password managers encrypt the data hundreds and hundreds of times. Password managers use complex and award-winning encryption and hashing to keep your passwords safe. That means that even if they are compromised, it is difficult to do anything with the data dump because it has been hashed so many times. It can take several lifetimes to undo the hashing or even try to reverse it.

On an approaching note of our technological reality, computing power, particularly quantum computing, is becoming more powerful and this could change the speed of hacking in the coming years, so our account protection technology will also need to catch up.

Password managers have certainly been hacked in the past, and those with good hashing practices were more protected. Where it often gets sticky is when employees get hacked to then force access to customer information. In these cases, it was often the unencrypted data (e.g. URLs and notes) stored by the password manager company that was vulnerable, rather than the encrypted passwords themselves. Do your research and use a well-reviewed password manager. Look for breaches in their past history as well.

Multifactor authentication and passkeys

Protect every account possible with multifactor authentication (MFA). Because it is not difficult to intercept or spoof a telephone number to get a text verification code, when available, use an authentication app over text verification.

Authentication apps typically generate 4-8 digit timed codes that expire after 30 seconds or so. We are all familiar with racing to copy the code in before the timer runs out.

Many companies are now also using passwordless passkey access, where you use the biometrics stored with your device (or with a password manager) or a second device to access an account. This is, for instance, when you have to find out where you left your phone when your laptop asks you to open the app on your phone to verify that it is you. A hacker or thief would need to have access to both your laptop and phone to gain access to your account.

Using a combination of local, cloud, time-limited, and separate devices increases the obstacles to someone gaining access to your account.

Security Keys

Using a physical multifactor security key is bringing it up a notch. At banks when you have a safe deposit box, they often use the two-key system where the bank has a key, and you have one. Both are required to open your deposit box. This creates additional layers to slow thieves down.

A security key is a small USB key that plugs into your device when prompted. This verifies that there is an additional layer of security required to access your accounts. Even if hackers get access to one device or account, the hacker would need to physically take the security key from you, too, to successfully get into your account.

This is your sign

Do not try to remember all of your passwords, not only because it is impossible to have strong passwords if you choose that route, but also because you simply do not need to remember them. And as mentioned before, we can use all of that energy to fight the system instead.

So if you still do not have a password manager yet, this is your sign. Once you have one, change your main passPHRASE on a regular basis, use a multifactor authentication app over receiving text codes, and if you want an additional security layer, you can also use passkeys and/or security keys.

Stay private and secure out there all. As always, I’ll share much more in our fight to protect ourselves within and against Empire.

Published inDigital Security

Comments are closed.