10 Password Myths Debunked

Passwords are the first line of defense in the digital age. To raise awareness of their importance and their role in keeping individuals and companies safe, the first Thursday of every May has become World Password Day.

For Password Day 2020, we’re dispelling some of the misconceptions that still surround this crucial aspect of online security. What makes a password weak or secure? How risky is it to write down your login details? Here are ten persistent password myths — debunked.

1. You don’t need to worry about passwords if you’ve nothing to hide

When people believe they have little at stake, they let their guard down. Here's the catch: you don't need to be sharing state secrets to be worried about a hack. An attacker who breaks into your social media account or email can still do a lot of damage in the long run.

For one thing, it might not be you who suffers the consequences of your poor password security. Hackers could use your account to launch phishing attacks on other people, extorting your contacts and friends list.

You can still be directly impacted, of course. A hacker who cracks one password might be able to access other linked accounts on different platforms. After all, email and social media credentials are often used as login mechanisms for third-party sites. They could even stage a man-in-the-middle attack after spying on your account.

You might not be able to think of a way in which a weak password could hurt you, but a hacker definitely can.

2. It's okay to use the same password on multiple accounts

Reusing passwords is not a smart move, even if you think it's a strong one. It’s the same reason you don’t want to use one key for your car, office, and apartment.

Bypassing login security has never been easier: with brute-forcing software, attackers can break into an account in seconds. If you’re using the same details for multiple sites, then a hack can quickly spread.

Differentiating your login details is an essential part of online security, and it will limit the threat posed by any one successful hack.

3. Numbers and special characters automatically make a password stronger

Adding numbers and symbols to your password will help, of course, but not to the extent that many think. Attackers use programs that can cycle through common symbols and numerical sequences in milliseconds. Adding “123” or replacing the letter “A” with “@” won’t do much to slow down the latest brute-forcing software.

While it's important to use completely random letters, numbers, and symbols, avoiding patterns is also essential.

4. It’s not safe to write down passwords

This one depends on specific circumstances. In a business or office environment, it’s clearly vital that password information is not left lying around. On the other hand, for individuals with personal accounts - social media, for example, and home emails - it’s really not as important.

If someone wants to hijack your social media account or break into your email, it's unlikely that they're going to live anywhere near you. They can sit in a bedroom on the other side of the world and still launch an attack. These criminals rely on complex algorithmic software, not stumbling on the password sheet you dropped.

Far worse than writing down a password is using a simple, easy-to-remember one. “Easy to remember” really means ”easy to crack”.

5. Password checkers on sites are always reliable

Go to any website that has built-in strength evaluation in the password creation process. You’ll find that by adding one capital letter and a few numbers and symbols, you can take your password rating from weak to strong.

That’s not how password security works. The hacker who wants to break into your email will be using sophisticated tools. They can check every word in the dictionary in a matter of seconds. Cycling through common names and coupling each one with common dates and numerical patterns won’t take them long.

Picking “P@ssword123” instead of “password” does very little to improve security — whatever the strength checker might tell you.

6. Regularly changing your password improves security

This isn’t entirely a myth, but regularly changing your password is a small part of a much bigger picture.

It’s a good practice within large organizations — businesses or universities, for example — but there are some negatives. Forcing people to change their login details every few months might push them to pay less attention to the quality of the passwords they're using.

Relying on one complex, hard-to-crack password for the course of a year is a lot better than using six simple ones in the same space of time.

7. Forgetting your password can permanently lock you out of an account

This would only be true in very specific circumstances. For the vast majority of users on most password-protected platforms, recovering an account is quite simple.

From social media sites like Instagram to entertainment hubs such as Spotify and the Playstation Network, you can reset a forgotten password with a few simple steps.

8. Password users are always to blame for password security breaches

It’s easy to blame users when their accounts are hacked or their login details surface online. Weak passwords are not always the cause of these breaches, however.

As we touched on in Myth Number 5, many websites give misleading advice on what constitutes a strong password. Most don’t bother to prompt users to take any additional precautions.

Even worse, passwords are sometimes leaked on the dark web when corporate files are left unsecured. You can actually find out if your login details are available online by checking the have I been pwned site. Companies should be aware of the role they play in keeping user passwords safe.

9. Complexity always trumps length

Complexity is essential — but so is length. There’s a reason most sites come with a minimum character count for passwords: the longer, the better.

It’s harder to make short passwords complex. Even a randomized collection of letters and symbols can be cracked relatively quickly if it’s only six characters long.

Length and complexity are two keys to good password security. If you can focus on both of these, then your account is going to be a lot harder to brute-force.

10. You don’t need a password manager

Actually, you probably do. A password manager would go a long way to limiting most of the risks we’ve covered so far.

With NordPass, you can generate long, complex passwords and store them in securely encrypted vaults. Then, when you’re logging into any account or profile, NordPass will auto-fill the form for you. You don't have to remember your passwords — NordPass does that for you.

A good password manager is the centerpiece of a strong online security strategy.