Around one-third of people use a password manager. Jake Moore, cybersecurity expert at ESET, a European cybersecurity firm, calls that number “criminally low.”
It’s a striking phrase for what is, on its surface, a mundane piece of software. But Moore’s case for password managers goes beyond convenience. When people invent their own passwords, they pull from familiar material — names, words, dates — details that a determined attacker may already have. A password manager removes that instinct entirely, generating long, randomized strings that no human would choose and no human needs to remember.
There’s a persistent misconception, according to Moore, that storing passwords in an online vault protected by a single master password is itself a security risk. The vault doesn’t work that way. Passwords are encrypted on the user’s device using a key derived from the master password, and only the scrambled cipher text reaches the provider’s servers — text the provider cannot read without that key.
The layer most platforms still don’t enforce
Even a strong password can fail. National cybersecurity agencies recommend a combination of between 14 and 16 characters to deter opportunistic attacks, but Moore argues that figure alone offers false confidence. Multi-factor authentication adds a second checkpoint: a code sent to a phone, or better still, an authenticator app, which Moore describes as “a wonderful next level.” SMS-based codes are the weakest form, he notes, though still better than nothing.
His frustration centers on how platforms handle enforcement. He singles out Instagram by name. The platform, he says, only prompts users about MFA once an account reaches 10,000 followers — a threshold calculated around the fear of losing an audience rather than protecting users from the start. “That to me is absurd,” Moore says. The logic, as he describes it, is that users with nothing to lose at signup might abandon the process if asked to do one more thing. Security yields to onboarding.
Until platforms mandate multi-factor authentication at the point of account creation rather than at a follower milestone, Moore argues, users will keep discovering their accounts compromised after the fact.
The case for skipping passwords altogether
Passkeys exist. They are already being adopted, and Moore believes they represent the cleaner solution — not because they are sophisticated, but because they are simple enough to remove the choices that cause problems.
A passkey replaces the typed password with a sign-in tied to a device or a fingerprint. Cryptographic keys handle the authentication behind the scenes; the user sees none of it. What disappears along with the password is the temptation to recycle an old one, or append a familiar number to something already compromised. Moore notes that people he speaks to are sometimes suspicious of passkeys precisely because they feel too easy — a reaction that captures the central problem with password security. The harder it feels, the more people trust it, even when the difficulty is the vulnerability.
The three positions Moore holds are consistent: automate what humans do badly, add verification layers where they’re missing, and where possible, remove the password from the equation entirely.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
