Too many passwords

24 Jan 2026 in Security Last modified at: 2026-02-11

As I republish some old content, I’m updating some of it. This article was originally posted in 2012, but I’m updating in 2026.

I frequently get asked how I deal with so many passwords — I can think of at least 25 right off the top of my head that I use multiple times per week. At work people are consistently commenting (complaining) about the number of passwords that they have.

In this article, I’m going to put out what I think are some common sense practices that just about anyone can use to help keep their data reasonably secure and still be able to deal with their passwords efficiently.

Let me start by saying that when it comes to your job, and any of your work devices, I would recommend that you talk to your company’s IT staff about what they require (and recommend) for their equipment. I do expect that everyone would fully comply with their corporate IT policy & procedures, even if what they say is in direct contradiction to what I am writing here. Nothing I write in here should be construed as an attack, or a critique of what might be happening at your place of work.

With that out of the way …

I want to start with a couple of common sense rules that should help keep your information more secure.

• Use a separate password for your each accounts.
• Use the longest password that any site will allow.
• Use a password manager so you don’t have to remember everything.
• Don’t use real answers for your security questions.
• Use different answers for all of your security questions.
• Enable multifactor authentication for every account that supports it.
• Use passkeys for every account that supports it.

These days, it is difficult to do have unique password for every account $ndash; especially if you want to keep all of your passwords in your head. Nonetheless, this is the goal.

You’ll see lots of sites that say that your password should be at least X characters long, and blah blah blah. The simple fact of the matter is that you should be more focused on the maximum length of a password than the minimum length. Studies show conclusively that the longer your password is, the harder it is to guess – and to crack. The more character classes you can use, the better

That last sentence sounds terribly geeky, so let’s take a second to unpack it. In your average correctly capitalized and punctuated sentence, one uses 3 out of 4 commonly identified character classes — upper case letters, lower case letters, & punctuation (these can be also be called symbols). The 4th character class is digits.

I can imagine the groans about using long passwords, but let us not forget that we’re going to be using a password manager; so remembering the password is a non-issue.

In the past, I had recommended thinking of a sentence, and basing a password on that. Something like, ‘A1d1wWwnmw’ as a password based on the sentence, ‘All I do is win, win, win; n0 matter what.’ Then a few years ago the recommendation was to just use the entire sentence, punctuation and all. And to be honest, if you have a password that you just have tto remember (like the password to get into your password manager), this is a great approach. It provides a long passphrase that is easy to remember and still long enough to be secure.

Let’s do some math. The first “classic” password in the previous paragraph uses 3 of the 4 character classes discussed above, and is 10 characters long. This represents a search space depth of 62 characters — that’s 26 lower case letters + 26 upper case letters + 10 digits. We end up with a search space size of 8.53 x 10¹⁷. The search space size tells us the number of potential permutations of a 10 character string from an “alphabet” of 62 letters.

While 10 to the 17^th power may seem like a large number, it’s nothing for a computer.

Let’s look at the password that’s made of a full sentence. The way it is written up above, it uses all 4 of the typable character classes; giving us a search space depth of 95 characters. It’s 42 character length gives a much larger search space size — 1.17 x 10⁸³.

Sorry about geeking out there, but I wanted to make sure that you got the point. This math isn’t an indicator of password strength. It is an indicator how many possible permutations there are of a given password. Password strength is more than just math. After all, you can get a search space size of 3 x 10⁸³ by using a single character repeated 59 times. I don’t know many people who would consider that a strong password.

What that math does tell us is that the longer a password is, the more entropy it has, and each additional character adds significantly more entropy. That works to our advantage because we can make an easy to remember password that has high degrees of entropy.

Honestly though, the strength and/or entropy of any given password is an effort that yields diminishing rewards. Which is why we should be using passkeys whenever we possibly can.

A passkey is a cryptographic keypair that works similar to the way that web sessions are encrypted (think HTTPS). The difference is that a web server present the same key to everyone. A passkey creates a unique keypair between the server that you are logging into and the software and/or device that you used to create the passkey. Even if someone manages to “listen in” when the passkey is used, the information they gain is close to useless, since the private key in the pair lives on your device.

But the astute reader will be asking, “If passkeys are so all-fired hot, why use a password manager at all?” It’s an excellent question. The fact is that not all sites support passkeys. Passwords are likely to be a part of our lives for a long time, which means that we need to continue to pick the best passwords we can, and a good password manager can make that easy. Easier than you would probably think.

A good password manager will:

• store your passwords for you (obviously)
• run in your web browsers, on your phone, and ideally as an application on your computer
• recommend great passwords when adding new accounts or changing passwords
• tell you when you have reused a password (a big no-no)
• store one time passwords that you have set up for 2-factor authentication
• store your passkeys
• allow you to share items as you can

With a good password manager, the average person won’t need to remember any passwords other than whatever you need to unlock the password manager.

Bitwarden isn’t my favorite password manager, but they offer a free product that is quite good. I do like the fact that they are based on open source, and that they allow for self-hosting your own server. If the Bitwarden website is compromised, your passwords can be safe, if you opt to host your own Bitwarden. It’s quite cool for the technically and privacy minded among us.

But these days, I’m using 1Password. It does all the stuff above and more. It’s easy to use, and a family plan costs around $5 / month.