Skip to content
Learn · Happyness Mallya

Passwords Are Dying: A Practical Guide to Passkeys in 2026

Why passwords keep failing, how to fix them today, and how passkeys quietly replace passwords with phishing-resistant, passwordless login.

Happyness Mallya··10 min read
Passwords and passkeys — a secured laptop computer
Photo by FlyD on Unsplash

People assume a strong password is enough. It isn't anymore.

I learned this the boring way — not from a dramatic hack, but from a notification. A site I had used years earlier sent an email: their database had leaked, and my old password was in it. The password itself didn't worry me. What worried me was the honest question that followed: where else did I use that? I couldn't remember. And that not-remembering is the entire problem in one sentence.

This is a practical guide. By the end, you'll understand why passwords fail, what actually makes one strong, why a password manager isn't optional, what two-factor authentication really does, and the bigger shift happening right now — passkeys, which quietly remove the password from the equation altogether.

Why passwords fail

Passwords fail for three reasons, and they compound.

Reuse. Most people have a handful of passwords they rotate across dozens of accounts. It feels efficient. It's a single point of failure. When one site leaks — and sites leak constantly — attackers take that email-and-password pair and try it everywhere else automatically. This is called credential stuffing, and it works precisely because reuse is so common.

Phishing. You can have a flawless, unique, 30-character password and still hand it straight to a criminal. A convincing email, a fake login page, a moment of distraction — and you type your password into the attacker's form yourself. The password's strength is irrelevant. You gave it away. (I wrote more about this in How to Protect Yourself from Phishing.)

Breaches. Companies get breached. Not occasionally — routinely. Your good habits can't protect a password sitting in someone else's leaked database. The only defense is making sure that one leaked password unlocks exactly one door, not all of them.

Notice the pattern: none of these are about you choosing a weak password. They're structural. The password system itself is the weak point.

What actually makes a password strong

If you take one thing from this section: length beats complexity, and uniqueness beats both.

For years we were told to use P@ssw0rd! — a short word mangled with symbols. It turns out computers find those patterns easy to guess and humans find them hard to remember. The worst of both worlds.

A long passphrase is far stronger and far easier to live with. Four or five random words — something like copper-violin-harbor-thunder — is more resistant to cracking than a tortured eight-character string, because the math that protects you is mostly about length.

But here's the catch that undoes everything: a strong password you reuse is still a reused password. The day that one site leaks, your strength evaporates. So the real rule isn't "make it strong." It's "make it strong and different on every single site." And no human can do that across a hundred accounts.

Which is why we don't ask humans to.

Why a password manager is non-negotiable

A password manager is an encrypted vault. It generates a long, random, unique password for every account, stores it, and fills it in for you. You remember one master password. It remembers the rest.

This isn't a productivity nicety. It's the thing that makes "unique password per site" actually possible. Without it, the rule is good advice you'll never follow. With it, the rule becomes automatic.

I use one daily. Bitwarden is free and genuinely excellent. 1Password is polished and worth paying for. Apple's built-in Passwords app and Google's password manager are both solid and already on your devices. The specific tool matters far less than the fact that you use one at all.

A quiet bonus: a good password manager refuses to autofill on the wrong domain. If you land on a convincing fake of your bank, the manager simply won't offer the password — because the web address doesn't match. Your own caution can fail. The manager's pattern-matching doesn't get tired or rushed.

What 2FA is, and why not all of it is equal

Two-factor authentication (2FA) adds a second proof to your login. The first factor is something you know (your password). The second is something you have (your phone, a code, a hardware key). Even if someone steals your password, they're stopped at the second door.

Turn it on everywhere that matters — email first, because your email is the master key that resets everything else.

But the kind of second factor matters more than people realize:

  • SMS codes are the weakest form. They're better than nothing, but texts can be intercepted, and attackers can hijack your phone number through "SIM swapping" — convincing your carrier to move your number to their device. Use SMS only when nothing better is offered.
  • Authenticator apps (like Google Authenticator, Authy, or the one built into your password manager) generate codes on your device. Nothing travels over the phone network, so there's nothing to intercept or SIM-swap.
  • Hardware keys (like a YubiKey) are the strongest. A small physical device you tap or plug in. Phishing-resistant by design, because the key verifies the real website before it responds.

The rule of thumb: app or hardware over SMS, every time.

The bigger shift: passkeys

Here's where it gets genuinely hopeful. The strongest answer to all of this isn't a better password. It's no password at all.

A passkey lets you sign in using your device and your biometrics — your fingerprint, your face, or your device PIN. There's no password to type, to leak, to reuse, or to phish.

In plain English: when you create a passkey, your device generates two mathematically linked keys. One stays locked on your device and never leaves it. The other is handed to the website. To log in, the website sends a challenge; your device answers it using the private key, which you unlock with your fingerprint or face. The secret part never travels across the internet, so there's nothing for a breach to leak and nothing for a fake page to capture.

That last point is the quiet revolution. Passkeys are phishing-resistant by design. A passkey is bound to the real web address it was created for. Put it on a convincing fake of your bank, and it simply won't work — there's no password field for you to fill in by mistake. The whole category of "I was tricked into typing my password" disappears.

Passkeys are backed by Apple, Google, and Microsoft together, which is why they actually work across your phone, laptop, and browser. Your passkeys sync through your Apple, Google, or password-manager account, so a new phone doesn't mean starting over.

Setting it up

Here's the order I'd actually do it in. It takes an afternoon, and you only do the heavy lifting once.

How-to

How to set up a password manager + passkeys

A step-by-step path from reused passwords to a password manager and passkeys on your most important accounts.

Estimated time: PT1H

You'll need

  • A password manager (Bitwarden, 1Password, Apple Passwords, or Google)
  • Your phone with fingerprint or face unlock
  • An authenticator app or a hardware security key
  1. 01

    Choose and install a password manager

    Pick one — Bitwarden (free), 1Password, or the built-in Apple Passwords or Google manager. Install it on your phone, computer, and browser as an extension.

  2. 02

    Create one strong master password

    Use a long passphrase of four or five random words. This is the only password you'll memorize. Never reuse it anywhere else, and don't store it inside the manager it protects.

  3. 03

    Secure your email first

    Change your email password to a long, random one generated by the manager, then turn on two-factor authentication using an authenticator app or hardware key — not SMS. Your email resets everything else, so it comes first.

  4. 04

    Replace reused passwords on key accounts

    Log into your bank, main social accounts, and any shopping sites with your card on file. Let the manager generate a unique password for each and save it. Do the rest over the coming weeks.

  5. 05

    Add passkeys where offered

    On those same key accounts, look in security settings for 'Add a passkey' or 'Sign in without a password.' Create one using your fingerprint or face. Keep your password and 2FA as backup.

  6. 06

    Test the recovery path

    Confirm you can still get in if you lose your phone: check that passkeys sync to your account and that you've saved backup codes for your 2FA in your password manager.

A realistic expectation

I won't pretend this is frictionless. The first afternoon is fiddly. Some sites still bury their passkey option three menus deep, and a few don't offer it yet. You'll occasionally hit an app that hasn't caught up.

But the trajectory is clear, and you feel the payoff almost immediately. Logging in with a fingerprint instead of fishing for a password is faster and safer — a combination security advice almost never offers. For once, the secure path is also the easier one.

The honest summary: passwords aren't gone, but they're being demoted from "the lock on your life" to "a fallback you rarely think about." That's exactly where they belong.

FAQ

Frequently asked questions

If passkeys live on my device, what happens when I lose my phone?
Your passkeys sync securely through your Apple, Google, or password-manager account, so signing in on a new device restores them. You're not relying on one physical phone. This is also why setting up account recovery and saving backup codes matters.
Are passkeys actually safer than a strong password plus 2FA?
Yes, mainly because they're phishing-resistant by design. A strong password can still be typed into a fake site; a passkey is bound to the real web address and simply won't work on an impostor. There's also no shared secret stored on the server to leak in a breach.
Do I have to stop using passwords completely?
No. Passkeys and passwords coexist. Most sites let you add a passkey while keeping your password as a backup. Start with your most important accounts and let the rest migrate as support grows.
Is SMS two-factor authentication useless?
Not useless — it's much better than no second factor. But it's the weakest option because texts can be intercepted and phone numbers can be hijacked through SIM swapping. Use an authenticator app or a hardware key whenever the site offers one.
I only have a few passwords I reuse. Is that really a problem?
It's the most common problem there is. The day any one of those sites leaks, attackers will try that email-and-password pair everywhere automatically. A password manager fixes this by making every site's password different, so a single breach stays contained.

Further reading on this site

If this was useful, subscribe to the newsletter.

Share

10 min read

The Newsletter

Liked this essay?

Get the next one in your inbox. One thoughtful email a week, nothing more.

Keep reading

Related articles

Protect yourself from phishing — a padlock on a laptop
Technology

How to Protect Yourself from Phishing

A calm, practical guide to spotting and stopping phishing — the small habits that protect 99% of people from email, SMS, and mobile-money scams.

June 10, 2026 · 10 min read

Keep mobile money safe — a smartphone beside banknotes
Technology

How to Keep Your Mobile Money Safe (M-Pesa, Airtel & More)

A practical, honest guide to keeping your mobile money safe — spotting common M-Pesa, Airtel & MTN MoMo scams and the simple habits that stop them.

May 6, 2026 · 10 min read

Protect your online privacy — a padlock on a computer keyboard
Technology

How to Protect Your Online Privacy in 2026

A calm, practical guide to online privacy — the high-leverage habits that protect most of what matters, without turning your life into a bunker.

April 10, 2026 · 10 min read