Blog

Articles about passwords, security, and why almost everything we were taught was wrong.

What a password is, and why we've had it wrong for sixty years

The computer password was born at MIT in 1961. The first breach came a year later, and it wasn't a criminal: it was a student who wanted more machine time. This is the story of why the rules we all learned were bad — and where they came from.

Why password.es never sends your password anywhere

Any website can type "we don't store your password" onto a page. It's free, it commits you to nothing, and nobody can check it. The only honest way out is to not need the data: everything happens in your browser, and here's how to open the inspector and confirm it without trusting a word we say.

Your password manager vs your memory: the one rule that survived

Of everything we were told about passwords, exactly one rule has survived: a different one on every site. And it's the one nobody keeps, because your memory doesn't stretch that far. A password manager isn't a convenience: it's what turns that rule into something you can actually do.

Passkeys: the password that doesn't exist

For decades we tried to make passwords harder to guess. Passkeys do something else: they take away the secret the server had to keep. The site is left holding a public key that's worthless to a thief, and phishing stops working. It doesn't fix everything.

Security questions are a password you never chose

A security question is a password with three defects: you didn't pick it, it can be guessed, and it's usually written down somewhere public. In 2015 Google measured it with real data and the result was damning twice over: the answers get guessed and they also get forgotten. Lie to protect yourself and you end up locked out.

2FA: why SMS is the worst of the good options

Turning on SMS 2FA is one of the best decisions you can make today, and also the first one you'll have to revisit. Its weak point isn't the encryption or your phone: it's the person answering the phone at your carrier. Here's the whole ladder, from SMS to a hardware key.