Password Security 2026: The Complete Guide to Secure Passwords

Passwords are the weakest link in the security chain—and yet they remain the most widely used authentication method. The 2024 Verizon Data Breach Investigations Report is clear: 68 percent of all data breaches result from stolen or weak credentials, and 86 percent of all web-based attacks are credential-based.

This guide explains why passwords fail so often, how to create and manage secure passwords today—and why passkeys are already here as the next step.

---

Why Most Passwords Are Insecure

The Reuse Problem

51 percent of people use the same password for multiple services. The Hasso Plattner Institute analyzed one billion user accounts from 31 published data breaches: 20 percent used the exact same password across multiple platforms, and 27 percent used slight variations of the same passphrase.

The result is devastating: as soon as a single service is hacked, the password is on the list. Attackers then carry out automated credential reuse attacks—a tool tests dozens of websites within seconds using the found email-password combination. If the attackers gain access to the email account, recovering the remaining accounts is no longer possible in most cases.

The Predictability Problem

The password "123456" was found 2,543,285 times in data breaches in 2020 alone—totaling 23,597,311 times across all years. The world’s most popular password will still rank among the top 5 in 2024.

Soccer club names are used as passwords surprisingly often. “schalke” and similar club names regularly appear on lists of the most commonly used passwords. Attackers are aware of these patterns and systematically test them.

The same applies to patterns created by forced password changes: When users are required to change their passwords regularly, predictable variations emerge. A study by the University of North Carolina analyzed 7,700 accounts and found that users who were regularly forced to change their passwords developed patterns such as tarheels#1 → tarheels#2. 17 percent of online accounts were cracked in fewer than five attempts. The situation is even worse for offline accounts: 41 percent were compromised in less than three seconds.

The German Federal Office for Information Security (BSI) has acted on this finding and now recommends no longer changing passwords routinely—only when there is concrete evidence of a breach.

The Brute-Force Problem

Modern hardware cracks short passwords alarmingly quickly. A standard laptop without a dedicated graphics card can process about 875 million hashes per second using the MD5 hash algorithm. A 6-character password can thus be cracked in seconds. A setup consisting of ten Nvidia GTX 1080 Ti cards, costing around 10,000 euros, achieves approximately 355 billion hashes per second for MD5.

The recommendation based on these figures: Passwords under 10 characters no longer offer sufficient protection with current hardware. The minimum recommendation is 12 characters—preferably 15 or more.

Important to note: MD5 is considered outdated and insecure. Modern systems use stronger hashing algorithms (bcrypt, Argon2, scrypt), which take significantly longer to compute and considerably slow down brute-force attacks. However, the length of the password remains the decisive factor.

---

What Secure Passwords Look Like

The Basic Rules

A secure password meets four criteria:

1. Minimum length: 12 characters, recommended 15 or more
2. Uniqueness: Do not use the same password for more than one service
3. No personal references: No names, no birthdays, no club names
4. Not included in data breaches: Check via haveibeenpwned.com

What is less crucial than often assumed: the forced inclusion of special characters, uppercase letters, and numbers in short passwords. An 8-character password with special characters is weaker than a 16-character password without them. Length trumps artificial complexity.

The apparent problem with secure passwords: memorability

Cryptic random passwords like X7$k2mQp9! are secure—but hard to remember. Tools like the Kryptonizer from passwort-ausdenken.de can help: A simple mnemonic like "Bolognese" is turned into a cryptic password like 5oW#7m%mm3D3 using a personal encryption card. The card is printed in duplicate—one for your wallet, one as a backup. This principle combines possession and knowledge.

Even more elegant is the passphrase method—more on that in a moment.

---

Passphrases: The More Secure and Easier-to-Remember Password

A passphrase consists of several words instead of a cryptic jumble of characters. The key advantage: Passphrases made up of four random, thematically unrelated words would take attackers centuries to guess—and are also easier to remember than short random passwords.

How to Create a Secure Passphrase

Choose words from completely different areas of life:

1. Your favorite dish, a vacation spot, or a hobby—for example: "Air Skydiving"
2. A current news story or event—for example: "Pandemic"
3. A word selected at random from a digital dictionary—for example: "reticulum"

This results in: "Air Skydiving Pandemic Reticulum"

Spaces are also characters in passwords. You can replace them with special characters to meet typical password requirements:

"Air-Skydiving_Pandemic_Reticulum"

With numbers that meet digit requirements:

"1Air-Skydiving_2Pandemic_3Reticulum"

The result is a very strong password. If you visualize it—someone doing air skydiving while thinking about the pandemic and an astronomical object called the Reticulum—it’s much easier to remember than a random jumble of characters.

What passphrases don’t protect

IT security experts advise against using song lyrics or well-known literary works like the Bible as inspiration. Attackers specifically target these sources. The selected words must come from thematically unrelated areas.

And most importantly: Even the strongest passphrase is only valid for a single service. Reusing it makes even the best phrase vulnerable.

---

Password-less login: Passkeys, MFA, and the post-password era

Multi-factor authentication as an intermediate step

Multi-factor authentication (MFA) requires attackers to know both the password and a second factor—such as a TOTP code from an authenticator app or an SMS code. This makes a compromised factor alone worthless.

There are various MFA methods with different security levels:

• FIDO2/Passkeys: Highest security, technically impossible to phish
• TOTP apps (Microsoft/Google Authenticator): Good for most cases
• SMS OTP: Better than nothing, but SIM swapping is a known attack scenario
• Email OTP: Vulnerable if the email account itself is compromised

A critical point: TOTP and SMS can be bypassed via real-time phishing relays. An attacker operates a phishing site; the victim enters the TOTP code, and the attacker immediately forwards it to the real server—the 30-second window is more than sufficient.

Passkeys: The phishing-proof alternative

Passkeys are the implementation of the FIDO2 standard, which is natively supported on Apple, Google, and Microsoft platforms. The core principle differs fundamentally from passwords: no secret is ever transmitted.

During registration, the device generates a key pair. The private key remains on the device and never leaves it. The public key is sent to the server. During login, the device signs a server challenge with the private key—biometrics or a PIN unlock the private key locally. The server verifies the signature using the stored public key.

What is never transmitted: no password, no private key, no biometric data (Face ID remains on the iPhone or Android).

Phishing protection stems from origin binding: the private key is bound to a domain. On a phishing domain with a similar but different domain name, the origin is different—the signature fails, making login technically impossible.

According to the FIDO Alliance, over 13 billion passkey-enabled devices will be in use worldwide by 2024. Apple, Google, and Microsoft have supported passkeys natively since 2022/2023. Over 10,000 services—including Shopify, GitHub, and PayPal—already support passkeys. Google has not recorded a single account takeover via phishing since its internal FIDO2 rollout in 2017.

User Acceptance and Misconceptions

A study by Ruhr University Bochum, the Max Planck Institute for Security and Privacy, and the University of Chicago involving 414 participants found that around 70 percent of users mistakenly believe that their fingerprint is transmitted to the provider and stored there during passwordless login. In fact, the cryptographic key remains exclusively on the end device.

Another 60 percent of respondents assumed they would lose access to their account entirely if their fingerprint sensor malfunctioned—even though WebAuthn offers a PIN alternative. At the same time, 93 percent of respondents generally trust biometric protection.

The researchers’ conclusion: The most important message is that biometric data is not transmitted to the provider. Passkeys are more secure and faster than passwords—the user experience takes about 2 seconds instead of 12.5 seconds with a password plus TOTP.

---

What to do if your password has been stolen?

How attackers handle stolen passwords

In early 2019, one of the largest datasets of login credentials at the time was published: approximately 773 million email addresses and 21 million passwords. Attackers do not use such lists indiscriminately. They are specifically tailored to the victim.

A Schalke04 fan is highly unlikely to use “Dortmund123” as a password—such social engineering assumptions help attackers filter the password list and increase the likelihood of a match. Personal references like club names or family names on social media make the password vulnerable.

Blackmail emails that contain a real password and threaten to release webcam footage exploit exactly these data breaches. Criminals usually do not possess any video recordings—they obtain login credentials exclusively from old data breaches, some dating back over ten years. No one should give in to such blackmail.

Here’s how to check if your data has been compromised

Troy Hunt’s website haveibeenpwned.com allows you to check email addresses for known data breaches for free. We advise against running actively used passwords through the database. The Hasso Plattner Institute in Potsdam operates a German alternative: The HPI Identity Leak Checker only reveals information once you have verified yourself as the owner of the email address.

Immediate steps to take in the event of a data breach

1. Immediately change the affected password on all services where you have used it
2. Enable MFA on the affected account and on all other important accounts
3. Set up a password manager to use a unique password for each service in the future
4. Check whether your email account is still under your control—email access is the master key for password resets on all other services

Blackmail emails containing a real (but old) password indicate that this password originated from an old data breach. If you have already changed it, there is no immediate need for action beyond confirming the facts.

---

Common Password Mistakes – and How to Avoid Them

Mistake 1: Personal references in your password

Birthdays, pet names, favorite sports team names—all of these are easy for attackers to find on social media. A hacker looking to learn more about their target will first check LinkedIn, Facebook, and Instagram. Anyone using “schalke04” or “Bundesliga2024” as a password makes it especially easy for attackers: Such passwords are at the top of personalized word lists.

The Hasso Plattner Institute analyzed passwords from public data breaches: “123456” is the most frequently stolen password of all. Right behind it are keyboard patterns like “qwerty,” “qwertz,” and “asdfgh”—patterns that are the first to be tried in every attack list.

Mistake 2: Writing down passwords on sticky notes

Writing down passwords on a sticky note under the keyboard, behind the screen, or on a label next to the computer is a common practice—especially in office environments. The problem: Anyone with physical access to the workstation also has access to all saved accounts.

At home, the risk is lower, but not zero. In public areas—offices, coworking spaces, reception areas—passwords should never be written down in plain sight. A password manager eliminates the need for this practice, as passwords are stored securely and automatically filled in when needed.

Mistake 3: Using the Same Password for Email and Other Services

Your email account is the master key for all your other passwords. Forgotten passwords are reset via email. So if you use the same email-password combination across multiple services and the password falls into the wrong hands due to a data breach, in the worst-case scenario you lose control of all linked accounts—and can no longer regain access by resetting the password yourself.

Your email account password should always:

• be unique (not used anywhere else)
• be long (15 characters or more)
• be secured with MFA

Mistake 4: Saving passwords in the browser

Browsers offer password storage as a convenience feature. This is practical—but browsers are primarily designed for browsing, not for the secure management of login credentials. Certain attack vectors that exploit browser vulnerabilities can access stored passwords. Additionally, many browsers sync passwords via cloud services, which may not offer the same level of protection as a dedicated password manager.

For occasional, non-critical logins, browser storage may be acceptable. For important accounts—email, banking, corporate logins—a dedicated password manager is recommended.

---

Password Security in Different Contexts

Personal: Secure the Most Important Accounts First

Not all accounts are equally important. Prioritizing helps:

Critical (secure first):

• Email account (master key for all others)
• Online banking and payment services
• Most important social media accounts (identity, privacy)
• Cloud storage with sensitive data (photos, documents)

Medium:

• Shopping accounts with saved payment methods
• Streaming services
• Employer VPNs and portals

Less critical:

• Forum accounts without personal data
• Newsletter subscriptions

The effort required for each account should be proportional to the sensitivity of the stored data. A password manager makes it much easier to use unique passwords even for less important accounts—without any extra mental effort.

In the Workplace: Unique Challenges

Corporate environments have specific requirements. The average employee manages over 90 online accounts—many of them work-related. Compromised corporate credentials can have far-reaching consequences: data breaches, ransomware attacks, regulatory penalties.

Specific risk areas in a corporate context:

• Shared accounts: Multiple people share a single password—no one is held accountable, and changes are uncontrolled
• Default passwords: New systems come with default credentials (admin/admin, root/root) that are never changed
• Departing employees: Passwords known to former employees that are not changed immediately

These specific challenges and solutions are discussed in detail in our article on secure password policies for businesses.

---

For Businesses: Password Policies and Security Awareness

Enterprise environments face unique challenges. Employees manage an average of over 90 online accounts. A single compromised personal email password can be used via credential stuffing to gain access to the company’s SSO.

Modern password policies for businesses—such as those outlined in NIST SP 800-63B (2017, updated 2024) and by the BSI in its IT-Grundschutz compendiums—focus on length rather than enforced complexity and do away with routine password change intervals. This topic is covered in detail in our article on secure password policies for businesses.

Practical implementation: Employees who understand why password hygiene is important protect themselves better than those who merely follow rules. Security awareness training—featuring live hacking demonstrations that show how quickly weak passwords can be cracked—sustainably increases motivation for behavioral change.

Request security awareness training

---

FAQ: Password Security

How long does a secure password need to be?

At least 12 characters; 15 or more are recommended. Length is more important than forced complexity through special characters. A 16-character password without special characters is more secure than an 8-character password with many special characters.

How often should I change my password?

According to BSI and NIST: only if there is concrete evidence of a breach—not routinely every 90 days. Forced regular changes lead to predictable patterns (Version1, Version2) and reduce security in practice.

What is the difference between a password and a passphrase?

A passphrase consists of several words, while a password typically consists of a combination of characters. Passphrases made up of random, thematically unrelated words are easier to remember and—if long enough—are at least as secure as cryptic short passwords.

What is a password manager, and do I need one?

A password manager is an encrypted digital vault that securely stores passwords and automatically fills them in. You only need to remember a single strong master password. Without a password manager, consistent password hygiene (a unique password for every service) is practically impossible to achieve. You can find details on the best password managers in our password manager comparison.

What are passkeys, and are they more secure than passwords?

Passkeys are a FIDO2-based authentication method in which no secret is ever transmitted. They are technically phishing-proof—logging in with the real passkey on a phishing domain is technically impossible. Since the internal FIDO2 rollout in 2017, Google has not recorded a single account takeover via phishing. Passkeys are the most secure authentication method currently available.

What should I do if I receive a blackmail email containing one of my real passwords?

Do not pay. Such emails originate from old data breaches and usually contain no evidence of actual webcam recordings or similar threats. Check haveibeenpwned.com to see if your email address is included in a known data breach, and immediately change the password in question on all services where you have used it.

How can I tell if my password was involved in a data breach?

Check your email address for free at haveibeenpwned.com or using the HPI Identity Leak Checker from the Hasso Plattner Institute at the Hasso Plattner Institute in Potsdam. The HPI Identity Leak Checker only sends results after you confirm your email address, which enhances data protection.

---

Password security isn’t a one-time project, but an ongoing practice. The easiest first step: Set up a password manager today—and enable MFA on your most important accounts. You can find the right manager for your situation in our Password Manager Comparison.

For companies that want to know how resilient their employees really are against password attacks and phishing: Request Security Awareness Training