Get used to the future before it arrives.
There’s a lot of kerfuffle about passkeys and other authentication methods.
Right now, at most services, you still have a password. Technically, this makes you vulnerable if it’s used, guessed, or somehow compromised. Eventually, as passkey adoption becomes more widespread, we’ll get rid of passwords altogether, but for now, passwords remain in play.
On some services, you can experience passwordlessness already. Doing so increases your existing security.
Go passwordless
Passwords are slowly being phased out, but most services still require them. You can simulate passwordless sign-in by creating a long, secure password and never using it, relying instead on other methods (like passkeys, email, or SMS codes) that don’t require a password. This dramatically reduces vulnerability to phishing, keyloggers, and database breaches.
Alternate sign-in methods required
The technique I’m suggesting requires that the account(s) you do this with have ways to sign in that don’t involve a password1. They might offer sign-in methods like:
- Passkeys
- An email to an associated account with a link to click or a number to enter
- A text message to an associated mobile number with a number to enter (or, occasionally, a link to click)
- The ability to confirm sign-in on a different, already signed-in device.
There may be other techniques. The key is that none of them require you to enter a password.
Make and forget your password
If the account still uses a password or requires you to set one up, here’s the process:
- Make an excruciatingly long and secure password (or as long as the service allows). I’d use 40 characters. (e.g. w3WVUXncc?t7QbTkuojVor8wfm!PHK9PqUd2#FEB)
That’s it.
You don’t have to remember this password because you’ll never use it. If you’re paranoid, of course, you can save it in a password manager, but doing so defeats the purpose since, should your password manager ever be compromised, the password would be there.
You can get away with this because you’ll never use your password to sign in. Ever. You’ll always use one of the alternate methods described above.
In fact, you’ll never use a password for anything on this account again.2 If worst comes to worst and the passkey doesn’t work, you’ll treat it exactly as you did when setting up the passkey the first time on your account. You’ll sign in one of the alternate ways I listed above. And you can always use “Forgot my password”, which will likely have different wording, to reestablish access to your account.
Related
How Do Websites Keep Passwords Secure?
A high-level overview of how websites and services should store passwords security, so next time there's a breach you'll know what to look for.How this is more secure
Are these passwordless techniques really more secure? Yes, because with one exception, there’s no password to steal.
That’s huge.
There’s no way for a hacker to gather your password from your activities because your activities will never involve typing or otherwise using a password. You won’t even have it in your password vault.
Phishing attempts to compromise this account will fail because they’ll ask for a password you never use, at which point you’ll know something’s amiss. Keyloggers will have nothing to log. Shoulder surfers will have nothing to see.
The exception? The service itself. Since it still requires a password, it will have stored something. If they’re doing security correctly, that something will not be the password itself but a hash of the password. Even if the service’s database is compromised, your password is not present. And it cannot be reverse-engineered from the hash.
The remaining risk, then, applies only to those services that handle security poorly, either by using a weak hash or by storing your literal password.
Everywhere else, you are significantly more secure because there’s no password to be stolen anywhere.
Do this
I recommend trying out passwordless options if they’re available to you. I’ve done so on my Microsoft account. Given how important that account has become, the fact that it’s working well is reassuring. I went passwordless even before passkeys entered the mix.
You can try out passwordlessness using the technique above. I think you’ll eventually find it just as convenient (or inconvenient) as traditional password-based sign-in. Even if it’s slightly less convenient, consider the security you’ve added to the account. Give it a try. If your service offers it to you, say yes. Otherwise, check the security section of that service’s settings to see if it’s an option.
Something else you might give a try: Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Footnotes & References
1: To be clear, all accounts have some additional way to identify you that doesn’t require a password. It’s required for “forgot my password” to work. The difference is in how convenient (or not) these passwordless alternatives are.
2: If, for some unforeseen reason, the service absolutely requires a password for something, you can use “forgot my password” to set a new one that you would then save.
