Happy World Password Day. It’s 2025 and much to the ire of security experts and regular people alike, we’re still using passwords.
Passwords are a pain to remember and enter every time you log into your ever-increasing multitude of connected devices and online accounts. And they can be cracked, with new technology like artificial intelligence tools making it easier for cybercriminals to guess or steal them.
New technology like passkeys and password managers can go a long way toward reducing the need for passwords in daily life, but the problem is they just haven’t caught on with a lot of companies or consumers, said Mike Kosak, senior principal intelligence analyst for password manager provider LastPass.
“I think a lot of it is a comfort level,” Kosak said. “I think a lot of people have grown up with [passwords], they’re easy to implement, easy to authenticate.”
But while change can be uncomfortable, changing to passkeys would be well worth it. Experts say they offer a better user experience than passwords, while eliminating the risks of weak, reused and compromised passwords, not to mention phishing attacks.
And what better occasion to push for change than World Password Day, which this year falls on May 1. It’s a totally made-up celebration created by Intel back in 2013. Traditionally, it’s intended as a reminder to take a close look at your logins and make sure they check the required security boxes.
And until passkeys, or some other new technology, becomes standard, we all need to make sure that we’re doing our best to set good passwords. That means long, random and unique passwords for every single account. That’s a tough ask for most people these days, but a good password manager can help.
Password managers remember your passwords for you and only require you to remember one master password to access them.
While it may seem wrong to put all of your precious logins in one place, that’s just not the case, says Iskander Sanchez-Rola, director of AI and innovation for Norton.
“You’re actually not putting all your eggs in one random basket, you’re putting them in a titanium vault with lasers and a moat,” Sanchez-Rola said.
But you’ll still need to remember at least one password even with a password manager. Thankfully, a little effort can go a long way toward making your passwords great ones and keeping your data safe. Here are some tips for doing just that.
Tips for good passwords
Longer is better. At least 16 characters is best. At that point, you don’t have to worry so much about password-cracking software. Random sequences of characters are best, but passphrases, such as a combination of three unrelated words, will be OK in most circumstances. Throwing in a special character, such as symbols or punctuation marks, in the middle won’t hurt.
Remember: If you use a passphrase, make sure the words only have meaning to you and don’t signify anything important. “Red Sox Rule” might be a great way to show your loyalty to the team, but it isn’t a terribly secure passphrase. Don’t use your birthday or another significant personal date because cybercriminals can find them easily. Song titles and famous quotations are also bad ideas. Avoid cliche substitutions, such as using @ for “at” or “a,” and $ for the “s.”
Resist the temptation to recycle. Even the best passwords can be stolen and compromised. So limit the fallout by making sure you set unique passwords for all of your accounts. Sure, that could be a lot to handle since we’re recommending 16-character or longer pass phrases.
As mentioned before, if you need help, sign up for a password manager. Both free and paid options are available. Many internet browsers can also help you out with this task, though they don’t always work across your various devices.
Sanchez-Rola also notes that password managers also can help by flagging spoofed websites. If you click on a link in an email that looks like it’s coming from your bank, but instead takes you to a look-alike scam site, the password manager isn’t going to automatically enter your login information.
Change can be good. Most experts now say that you don’t actually need to change your passwords on a regular basis. But they all agree that you should change them right away at any hint of compromise. The rise of AI and automated technologies have made it easier for cybercriminals to launch mass attacks, Kosak says. People can’t afford to assume they won’t be targeted.
Additionally, if one of your accounts is compromised and you’re given the option of logging out of all other devices, do it before you change your password, Kosak says. If you don’t, you could leave an online attacker logged in and they might even change the password behind you.
Log out of shared devices. If you use a shared computer at a cafe, or log into your Netflix account on a friend’s TV, remember to logout when you’re done, Sanchez-Rola says. The next person to use the device might not do anything malicious, but you might pay the price if their security practices aren’t as strong as they should be.
Keep your details off social media. The more personal details you post, the more cybercriminals know about you. Those little, seemingly unimportant, bits of data could be used to crack your passwords.
Always, always use 2FA. If your password does get compromised, a second layer of protection will go a long way toward protecting you. Two-factor authentication, also called multifactor authentication, is being used by a growing number of sites and requires someone trying to access your account to also enter a second form of ID.
It could be a code generated by an app, a biometric like a fingerprint or facial scan, or a physical security key that you insert into your device. Yes, that will slow you down as you access the account. But it’s worth it to keep your account safe. If 2FA is available, use it.
One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. SIM swapping, a scam in which a cybercriminal takes over your phone number, is on the rise. If a criminal takes over your phone number, they’ll get your 2FA text message, too.
