FAQ

FAQ: Questions and answers on secure passwords

Passwords remain the keys to our most critical accounts. This FAQ gathers the most common questions and answers with practical advice you can apply right away.

Putting these answers into practice reduces the risk of breaches, impersonation and unauthorized access even if a service you rely on is compromised.

Why passwords still matter

Passwords are still the most widespread authentication factor and therefore the first target for attackers. Their strength and the way we use them is what separates a failed attempt from identity theft.

Frequently asked questions

Why do strong passwords still matter?

Automated attacks fire millions of combinations per second and reuse passwords leaked elsewhere. A strong password slows every attempt, raises the cost for attackers and keeps your email, banking or social accounts from being hijacked in minutes.

What length should I aim for today?

Aim for at least 16 characters; below 12, modern brute-force rigs can break it in hours. Mix upper and lower case, numbers and symbols or build a long passphrase from several random words.

Can I reuse the same password on multiple services?

Reusing means that if one site is breached, the same password unlocks everything else. Attackers run credential stuffing automatically, so every service needs its own unique combination.

How do I create a password I can remember without making it weak?

Generate a base with a password generator and layer on a personal pattern, or craft a passphrase of four or five unrelated words tied together with symbols. Avoid personal data, predictable sequences and obvious swaps such as 'a'->'4'.

Do I really need a password manager?

A password manager encrypts your credentials, creates unique logins, fills forms and alerts you about leaks. You only memorize the master password and avoid copying secrets into insecure notes or chats.

What does multi-factor authentication (MFA) add?

Multi-factor authentication adds a second proof (one-time code, push prompt or security key). Even if someone steals your password, they cannot sign in without that extra factor.

How often should I change my passwords?

Skip calendar-based rotations; change passwords when there’s evidence of a breach, shared access or suspicious activity. Forced rotation often produces weaker patterns—focus on strong passwords from the start and update them only when needed.

How can I spot a phishing attempt before typing my password?

Before typing your password, watch out for:

  • The exact domain and certificate; type the address yourself if anything looks off.
  • Messages that create urgency, promise prizes or ask for unexpected resets.
  • Attachments or embedded forms requesting your password.

A password manager also flags when the domain doesn’t match the saved login.

Where should I store recovery codes and master passwords?

Store recovery codes and your master password offline in a secure spot (safe, encrypted secondary vault, sealed envelope). Keep at least two protected copies and refresh them whenever you regenerate the codes.

Is it safe to share passwords over email or chat?

Never send passwords in plain email or chat; they linger on servers and can be forwarded. Use your manager’s sharing feature, a self-destructing encrypted note or create dedicated access with limited permissions.