We’ve all done it. You land on some website—maybe it’s a new streaming service, maybe it’s a dental appointment portal that for some reason requires an account—and you’re prompted to create a password. You pause for a moment. You think about doing the right thing. And then… “password123!” Done. Moving on.
Or maybe you’re a little more security-conscious. So you go with something clever. Something personal. Something meaningful. Something like your dog’s name and your birth year. “Skeeter1987!” Uncrackable, obviously.
But here’s the thing: The hackers already know about Skeeter. They probably follow him on Instagram.
Passwords are one of those things we all use, all the time, and almost universally misuse. We reuse them across dozens of accounts, choose ones that are embarrassingly predictable, and treat them like a minor inconvenience rather than the digital keys to our online lives.
Today, we’re cracking the code on passwords: where they came from, how they’re stored, how they fail, and what’s coming next. Could the humble password finally be headed for retirement? Let’s find out.
I’m Chris Rouman, and I’m Nerd Adjacent.
What is it?
Like a lot of things we take for granted, passwords didn’t just appear out of nowhere. They were invented by one guy, for one very specific problem, and then the rest of the world kind of… adopted them forever.
In 1961, a computer scientist at MIT named Fernando Corbató was working on something called the Compatible Time-Sharing System (or CTSS), one of the earliest operating systems that let multiple people use a single mainframe computer at the same time. The problem? Everyone could see everyone else’s files. There was no separation, no privacy. Just a big open computing buffet.
Corbató’s fix was elegant in its simplicity: Give each person their own private login with a secret word. And just like that, the computer password was born.
This revolutionary idea spread; computers became more accessible, and by the time the internet arrived and exploded into everyday life in the 1990s, the password was the default solution for securing everything online: bank accounts, email, shopping carts, your onlyfans account. All of it locked with a letter and number combination you had to remember.
The system was designed for a handful of researchers sharing a single machine. It was never intended to scale to 170 passwords per person—which is, incredibly, the average today.
Some history
Let’s take a moment to appreciate how spectacularly bad humans are at password security.
Every year, cybersecurity companies analyze billions of exposed passwords from data breaches, and every year the results are a masterclass in optimism over evidence. According to NordPass’s 2025 research, the most common password in the United States is… ‘admin.’ The most common globally is ‘123456’ — a position it’s held six out of the seven years NordPass has been tracking this. Followed closely by ‘password,’ ‘secret,’ and ‘qwerty’–the 6 letters located in the upper left-side of your keyboard.
And here’s a fun stat: 78% of the world’s most common passwords can be cracked in less than one second. Not a minute. Not an hour. One second.
It gets worse. About 25% of people worldwide reuse the same passwords across up to 20 different accounts. Which means that when one account gets breached, it’s not just that account that’s compromised; it’s potentially your email, your bank account, your streaming service, and whatever wellness app you downloaded and forgot about.
Oh, and in 2024, about 142 million people had at least one password exposed in a data breach. And yet “Skeeter1987!” it is.
How it works
When you create an account somewhere and set a password, what actually happens to it? Here’s where it gets genuinely interesting—and where the difference between a well-run system and a terrible one becomes very obvious.
The worst approach—and this still happens—is when a website stores your password in plain text. That means somewhere in a database, your password is sitting there, readable, like a Post-it note on a fridge. If that database gets hacked, your password is just… out there. The earliest systems, including Corbató’s CTSS, did exactly this. A bug in his code once caused the entire password file to print out to users. Oops!
The next step up is hashing. Instead of storing your actual password, the website runs it through a one-way mathematical function that converts it into a long, scrambled string of characters called a hash. It turns “Skeeter1987!” into a very long series of characters. Every time you log in, the system hashes what you type and compares it to the stored hash. If they match, you’re in. And here’s why it’s so secure: You can’t work backwards from the hash to get the original password.
But hashing alone does have a problem: if two people have the same password—say, everyone using “123456”—they’re assigned the same hash. Hackers figured this out and built something called rainbow tables: giant precomputed lists of common passwords and their corresponding hashes. Look up the hash, find the password. Quick and easy. The name, by the way, comes from the fact that when these tables are color-coded by the different functions used to build them, they look like a rainbow. Which is a cute name for something designed to break into your accounts.
The solution? Salting. Before hashing your password, the system adds a random string of characters—the “salt”—that’s unique to your account. Now even if two people use the exact same password, their hashes look completely different, because the random additions are different. The rainbow tables become useless.
The best systems also use intentionally slow hashing algorithms—like one called bcrypt—that are designed to take a tiny bit of time to compute. For a normal login, you don’t notice. But for a hacker running billions of guesses, that short delay is the difference between cracking your password in minutes and cracking it in centuries.
How passwords get cracked
So how do the bad guys get in? There are a few main ways, and they’re all worth knowing about.
First is the brute force attack. This is exactly what it sounds like: a program tries every possible combination of characters until it lands on the right one. Short passwords—say, 6 characters—can be cracked almost instantly with modern hardware. This is why length matters so much. A 12-character password with mixed characters takes exponentially longer to brute force than a 6-character one.
Then there’s the dictionary attack. Instead of trying random combinations, the program works through a list of common words, phrases, and known passwords—your “football,” your “iloveyou,” your “Skeeter1987!” Because humans are predictable, these lists are surprisingly effective. Hackers know that when a site requires a capital letter, people almost always capitalize the first one. When a number is required, people add it at the end. When a special character is required, it’s usually an exclamation point. We’re not as creative as we think.
And then there’s credential stuffing, which might actually be the scariest one. When a company gets breached—and this happens all the time—those usernames and passwords often end up for sale on the dark web. Hackers take that list and just… try them everywhere. Banking sites. Email providers. Other streaming services. If you used the same password on the breached site as you did on your bank account, they walk right in. No guessing required. According to Cloudflare, about 85% of users reuse passwords across multiple sites, which is exactly why credential stuffing works so well.
The good news is that a strong, unique password—one that isn’t recycled from somewhere else—defeats credential stuffing entirely. They can’t stuff credentials that aren’t in their list.
Two-factor authentication
Even if someone gets your password, they might not get into your account if you’ve set up two-factor authentication, or 2FA.
The idea is simple. Instead of one lock on the door, so to speak, you have two: After entering your password, you get a code sent via text message or generated by an app, and you have to enter that too. Even if a hacker has your password, they’d also need physical access to your device. Which is a lot harder.
SMS-based 2FA—where the code comes via text—is better than nothing, but security experts will tell you it’s not the gold standard. Text messages can be intercepted, and there’s a social engineering attack called SIM swapping where someone tricks your phone carrier into transferring your number to a new SIM card they control. It’s alarmingly easy to pull off.
Authenticator apps like Google Authenticator generate time-sensitive codes locally on your device and are significantly more secure. They don’t go through your phone network at all. And hardware security keys—little USB devices you plug in to confirm your identity—are even stronger still; they’re basically impervious to remote attack.
The takeaway: if a service offers 2FA, use it. And use the app version if you can. It’s one of the single highest-impact things you can do for your account security.
Passwords managers
But even 2FA doesn’t completely solve the problem. We’ve been told to “use a different, long, complex, random password for every account.” Great. And how, exactly, is a human supposed to remember 170 of those?
They can’t. And that’s why password managers exist—and why you should probably be using one.
A password manager is an app that generates strong, random, unique passwords for every single account you have, and stores them in an encrypted vault. You only need to remember one master password: the password to get into the vault. Everything else is handled for you. Your banking password might be something like “Xp7!mKqLz#4nRvWs,” which you never have to remember, copy, or type, because the app does it for you.
Most modern phones and browsers have built-in password managers that sync across your devices. Options like 1Password, Bitwarden, and Dashlane are also popular and well-regarded.
The common concern is: “But what if the password manager gets hacked?” It’s a fair question. The answer is that reputable password managers are designed so your actual passwords never sit on their servers in readable form. So even if their servers are breached, the attackers only get encrypted data that’s useless without your master password. It’s not a perfect system, but it’s vastly more secure than using “Skeeter1987!” everywhere.
Passkeys
Now, here’s where things get genuinely exciting. The password—that cobbled-together solution from a 1961 MIT lab—might finally be on its way out.
Enter: passkeys.
Passkeys are based on a technology called public-key cryptography, and they work fundamentally differently from passwords. When you create a passkey for a site, your device generates a pair of mathematical keys: a private key that stays locked on your device and never goes anywhere, and a public key that the website stores. When you log in, the site sends your device a challenge—like a math problem—that only your private key can solve correctly. Your device solves it (after confirming it’s you, via Face ID or a fingerprint), sends back the answer, and you’re in. No password transmitted. No shared secret that can be stolen.
This is huge, for a couple of reasons. First, there’s nothing to phish. In a traditional phishing attack, a fake website tricks you into typing your password into it. With passkeys, your device cryptographically checks that it’s talking to the right site before responding. A fake site doesn’t get anything useful. Second, even if the website’s servers are completely breached, all the attacker gets is your public key, which, on its own, is useless. They can’t log in with it. They can’t reverse-engineer your private key.
Apple, Google, and Microsoft have all committed to passkeys and are rolling them out across their platforms. You’ve probably already encountered them. When a site offers to let you sign in with Face ID or your fingerprint instead of a password, that’s often a passkey in action. Microsoft now makes passkeys the default for new accounts, and according to their data, signing in with a passkey is 14 times faster than the traditional password-plus-2FA combination.
The transition won’t happen overnight. Millions of systems still run on passwords, and changing everything takes time. But the direction is clear: The technology exists, the big platforms are aligned, and the security case is airtight.
Conclusion
The honest truth about passwords is that the advice we’ve always been given is completely unreasonable. Even Fernando Corbató—the father of the computer password—would later admit that managing all his own passwords had become, and I’m quoting loosely here, “a kind of nightmare.”
So the next time you’re staring at a “create a password” prompt and you feel the gravitational pull of “Skeeter1987!”—pause for a moment. Open your password manager. Let it generate something genuinely uncrackable. Enable two-factor authentication. And if the site supports passkeys, use those instead.
Because passwords, for all their flaws, are still the front door to your digital life. And unlike an actual front door, you don’t get to see who’s rattling the handle.
The hackers are out there, running their dictionary attacks, stuffing credentials, and counting on you to reuse “password123” across 17 accounts. The best thing you can do is make yourself the boring house on the block. Give them nothing to work with.