Things Worth Knowing
Digital

Passwords and passkeys

Stop reusing passwords. Use a password manager and passkeys where you can. The setup that matters in 2026.

Almost every account compromise traces back to one of two things: a password reused across sites, or a password phished from a fake login page. Both are solvable with tools you already own.

Use a password manager

A password manager generates a unique, long, random password for every account and fills it in for you. You only remember one master password. Your phone almost certainly has one built in. iCloud Keychain on Apple devices and Google Password Manager on Android both work across browsers and apps. Bitwarden, 1Password and Proton Pass are good cross-platform alternatives if you switch ecosystems often. The choice matters less than actually using one.

Use passkeys when offered

A passkey replaces the password entirely. You sign in by unlocking your phone or laptop. There is nothing to type, nothing to phish, nothing to remember. Apple, Google and Microsoft all support passkeys, and most major sites including banks, email providers and social networks now offer them. When a site says 'set up a passkey' or 'sign in with passkey', say yes. They sync between your devices through your password manager.

Two-factor authentication

On accounts that still use a password, turn on two-factor authentication. Prefer an authenticator app (the codes that change every 30 seconds) or a passkey over SMS. SMS codes can be intercepted by SIM-swap attacks. Your phone's built-in authenticator works fine for most people. Save the recovery codes the site gives you somewhere safe, ideally in your password manager.

What good practice looks like

Long, unique, machine-generated passwords for every account. A password manager that fills them in. Passkeys wherever supported. Two-factor authentication on email, banking, government services and anything financial. Recovery codes saved. That is most of the work, and it takes one quiet hour to set up.

Don't bother with

Changing passwords on a schedule for the sake of it. Modern guidance from EU and UK security agencies is to change passwords only when there is reason to think one was exposed. Forced rotation makes people pick weaker passwords, not stronger ones. The same applies to obscure character requirements; length and uniqueness matter far more than punctuation.