Skip to main content

The one and only password tip you need. Almost everything we told you about passwords was wrong!

Posted: by
https://www.malwarebytes.com/blog   

OK, it’s time for me to keep a promise.

Back in October 2022, I wrote an article called Why (almost) everything we told you about passwords was wrong. The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

Most damningly of all, the vast effort involved in dispensing this advice over decades has generated little discernible improvement in people’s password choices. If it hasn’t quite been a wasted effort, it has certainly represented a galactically inefficient use of resources.

We know that this advice isn’t what it’s cracked up to be thanks to intrepid researchers, such as the folks Microsoft Research, who made it their business to discover what actually makes a difference to password security in the real world, and what doesn’t.

If you want the full, three-course meal version of why all the password advice you've been told stacks up to much less than the sum of its parts you can read the original article. Here's the snack version:

How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it's so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations a laughably simple but unique password is good enough to defeat the attack.

There are rare types of attack—offline password guessing—where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing. Notebooks are a really good, simple solution to the password reuse problem, but for years people were ridiculed for using them. Password managers are also a good solution but they are much harder to use than notebooks and a majority of people don't use them, and don't trust them, despite years of positive press and advocacy.

OK, back to the promise I mentioned.

As somebody who has done his fair share of dispensing this kind of advice, I ended my Why (almost) everything we told you about passwords was wrong article with a mea culpa in the form of a promise. Never again would I dish out laundry lists of things you should do to your password. I would instead focus my energy on getting you to do one thing that really can transform your password security, which is using Two-Factor Authentication (2FA):

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using 2FA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Well, today is World Password Day, and it’s time to make good on that promise. I was asked to write a list of password tips, so here they are:

  • Set up 2FA somewhere.

To explain why I’m all-in for 2FA I can’t do any better than quote Microsoft’s Alex Weinert from his 2019 article, Your Pa$$word doesn’t matter. (He calls it MFA but he means the same thing, I’ll explain why lower down).

Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

Yes, he wrote 99.9%, and he wasn’t exaggerating. 2FA defeats credential stuffing, password spraying, AND password reuse, AND a bunch of other attacks.

Even if you don't know what 2FA is, you've probably used it. If you’ve ever typed in a code from an email, text message or an app alongside your password you’ve used 2FA.

In the real world, 2FA just means “do two different things to prove it’s you when you log in”. One of those things is almost always typing a password. The other thing is often typing a six-digit code you get from your phone, but it might also be responding to a notification on your phone or plugging in a hardware key (a small plastic dongle that plugs into a USB port and does some fancy cryptographic proving-its-you behind the scenes).

2FA is very widely supported and any popular website or app you use is likely to offer it. In an ideal world those sites and apps would take responsibility for your security and just make 2FA a mandatory part of their account setup process. Unfortunately, we don’t live in an ideal world, and the tech giants that know better than anyone else how much 2FA can protect you have left it for you to decide if you need it.

To make your life a little harder still, they also give it different names. You’ve already met MFA, which means multi-factor authentication, while Google, WhatsApp, Dropbox, Microsoft, and others brand their version of 2FA with a slightly altered name: two-step verification (2SV).

If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem.

If you aren’t ready for that, the next best form of 2FA uses an app that prompts you with a notification on your phone. The next best after that is 2FA which uses a code from an app on your phone, and the least good version of 2FA uses a code sent over SMS.

However, don't let anyone tell you any form of 2FA is "bad." It's all relative. Adopt any one of them and you can safely ignore the rest of the password advice you were probably ignoring already.

To help you get started, here are links to the 2FA setup instructions for the five most visited websites:

Comments

Popular posts from this blog

Ramp Up Cyber Spending As AI Reshapes Industry Priorities

NEW YORK—Artificial intelligence is rapidly becoming the defining force shaping banking strategy, with 80% of banking executives now expecting AI to significantly disrupt their business and operating models within the next three to five years, according to KPMG's 2026 Banking Technology Survey. The survey of 200 U.S. banking executives found institutions are responding by accelerating investments in cybersecurity, payments modernization and technology-driven acquisitions. "AI, payments modernization, cybersecurity, and tech-driven M&A are no longer separate agendas," said Peter Torrente, KPMG's U.S. Banking Sector Leader, who said banks are increasingly being challenged to keep pace across technology, risk and growth simultaneously. Cybersecurity remains a top concern. More than three-quarters (76%) of banking leaders reported an increase in cyberattacks over the past year, while 92% said they are boosting cybersecurity budgets. In addition, 84% are increasing cyb...

White Paper from WOCCU Examines How Stablecoins are Reshaping Financial Infrastructure

WASHINGTON– World Council of Credit Unions (WOCCU) has released a new white paper that examines how stablecoins are reshaping the financial infrastructure that credit unions and other cooperative financial institutions rely on to serve their members.  According to WOCCU, the white paper, How Digital Money Is Impacting Credit Unions, Part 1: Focus on Stablecoins , is the first in a planned three-part series exploring how emerging forms of digital money are affecting the global credit union movement.  “The report begins by noting that stablecoins are no longer a niche fintech development, but part of a broader structural shift in how money is stored, moved and regulated,” WOCCU explained. “As commercial banks, payment networks, technology firms and retailers build stablecoin offerings or integrate stablecoin rails into their platforms, credit unions must consider how these changes could affect deposits, payments, member relationships and long-term institutional relevance.” For ...

Half of Credit Union & Bank CEOs are Now Older Than 65, Up From 20% Two Decades

NEW YORK — At a time when there are some generational changes in credit union leadership taking place, a new analysis has found the nation’s bank CEOs are getting older, with half of the chief executives leading banks now older than 65, compared with fewer than 20% two decades ago. The KBW Bank Index from Truist Securities found that the median age of bank CEOs has increased by 10 years since the early 2000s, mirroring a broader aging trend among corporate leaders across the United States. However, bank executives remain older on average than their counterparts in many other industries, according to the analysis by Truist Securities Managing Director John McDonald and associates Peter Nicolo and John Manahan. One reason is tenure. Bank CEOs typically remain in their positions longer than executives in many other sectors. According to data from CristKolder Associates cited in the report, financial-services CEOs average nine years in the role, compared with 5.4 years in the energy secto...

What Credit Unions Can—And Can't—Do With New Trump Accounts

07/02/2026 09:36 am         WASHINGTON--With Trump Accounts set to officially launch July 4, America’s Credit Unions updated its frequently asked questions document to clarify the role of credit unions now and in the future. Credit unions do not have a role to play yet, as the Treasury has not announced steps to transition accounts from initial provider BNY Mellon to other authorized institutions, ACU noted. Trump Accounts are tax-deferred accounts that can be established on behalf of a child under the age of 18. Account contributions begin after July 4, with contributions up to $5,000 a year allowed. Created by H.R. 1, the law also established a pilot program to deposit a one-time $1,000 grant into accounts of children born between Jan. 1, 2025 and Dec. 31, 2028. Once the child turns 18, the account funds are available for educational expenses, home ownership, entrepreneurship, and other designated purposes. Once guidance is available from Treasury, credit unions ...

Invest in Education - Invest in Tomorrow

 

Sunday Reading - We Hold These Truths to Be Self-Evident

We Hold These Truths to Be Self-Evident .  The Declaration of Independence is the founding document that formally announced the American Colonies' break from British rule. Adopted on July 4, 1776, it laid the philosophical and moral foundation for American self-governance, asserting that individuals possess inherent rights and that governments must be accountable to the people. While it didn't create a government or legal framework, the Declaration marked the birth of the United States as a sovereign nation. >  Hear why the Continental Congress decided to declare independence, how the text took shape...

Without President’s Signature, ROAD to Housing Act Becomes Law; Includes CU Board Modernization Act

WASHINGTON — The bipartisan 21st Century ROAD to Housing Act became law Friday without President Donald Trump’s signature after the president allowed the measure to take effect while Congress remained in session, choosing not to sign it in protest over the Senate’s failure to advance separate voter identification legislation.  The legislation includes the Credit Union Board Modernization Act, which reduces the frequency with which credit unions must meet and which had strong support from the credit union trade groups.  Trump announced on social media that he would not sign the housing package because the Senate had not passed the SAVE America Act, a measure he has championed requiring proof of citizenship for voter registration. Under the Constitution, a bill becomes law if the president neither signs nor vetoes it within 10 days, excluding Sundays, while Congress is in session.  Scott Simpson ‘Steadfast in Commitment’ “America’s Credit Unions, our league partners, and cr...

NCUA Tells FICUs Crypto Trading is OK — If Big Exchanges Provide the Service

When it comes to reading between the lines of financial regulators’ advisory letters, tone matters. Take last week’s letter from the National Credit Union Administration (NCUA) which gave the federally insured credit unions (FICUs) it oversees permission to partner with digital asset providers to allow retail customers to buy, sell and trade in cryptocurrencies. Now compare it to the one issued by Comptroller of the Currency Michael Hsu’s agency to the national banks and federal savings associations it regulates a month earlier. On the surface, both said much the same thing: Financial institutions can provide cryptocurrency services (albeit with some notable differences: the OCC’s letter dealt with more back-end services, including custody services as well as holding and using dollar-pegged stablecoins for transaction settlement). Neither was enthusiastic. The NCUA’s letter said it “does not prohibit FICUs from establishing these relationships” — which is not as enthusiastic as “are a...

What You Might Not Know About July 4th.

Twenty-Five Years of Showing Up

www.NCOFCU.org/Tucson-AZ-2026    Attendee Registration Schedule at a Glance ...