Passkeys Are Replacing Passwords. Until Then, Here’s How to Make Ones That Don’t Get You Hacked
Your phone has probably already asked you to do it. You go to log in, and instead of typing a password, it offers to use your fingerprint or face. That’s a passkey. The big platforms are pushing them hard, and for once the hype is justified: passkeys fix the thing that has made passwords miserable for thirty years.
Here’s the catch. You still have dozens of accounts that only do passwords, and you will for a good while yet. So this is two things in one: a plain explainer on what passkeys are and why they’re better, and a practical guide to making passwords that actually hold up until the rest of the internet catches up.
What a passkey actually is (no jargon)
A password is a shared secret. You know it, the website knows it, and that’s the problem: anything two parties share can be stolen, guessed, phished, or leaked in a breach.
A passkey works differently. When you create one, your device makes a pair of keys. One stays locked on your device and never leaves it. The other goes to the website. To log in, your device proves it holds the private key (usually after you unlock it with your face, fingerprint, or PIN). The site never stores a secret that’s worth stealing, and there’s nothing for you to type, remember, or accidentally hand to a fake login page.
That last point matters more than people realize. A few things passwords can’t do:
- You can’t be phished out of a passkey. It only works on the real site it was made for.
- There’s no password database for hackers to dump, because the secret never lived on the server.
- You can’t reuse a passkey across sites, so one breach can’t cascade into ten more.
So why are you still typing passwords?
Because the rollout is messy. Plenty of sites still don’t support passkeys. Syncing them across an iPhone, a Windows laptop, and an Android tablet can get awkward depending on which ecosystem you’re in. Account recovery (what happens when you lose the device) is still a rough edge. And a lot of services that do offer passkeys quietly keep your old password as a fallback, which means the weak link is still sitting there.
Translation: you’ll be living in a hybrid world for years. Use passkeys everywhere they’re offered, absolutely. But your passwords still guard most of your accounts, so they need to be good.
How passwords actually get cracked
If you understand the attacks, the rules stop feeling arbitrary. There are basically three:
- Credential stuffing. The most common one by far. A site gets breached, a list of email and password pairs leaks, and attackers try those same pairs on every other service. If you reused that password, they’re now in your email too. This is why reuse is the cardinal sin.
- Dictionary attacks. They don’t guess randomly. They run through common passwords, real words, names, dates, and the predictable tricks (swapping “a” for “@”, sticking a “1!” on the end). “P@ssw0rd1!” falls in seconds.
- Brute force. Trying every combination. This is the one pure length defeats. Each extra random character multiplies the time it takes, fast.
Notice what does the work here: length and randomness and never reusing. The fussy “must contain a symbol” rules barely matter next to those.
What a password that survives looks like
A few rules that actually move the needle:
- Long beats clever. Aim for 16 characters or more. A long random string, or a passphrase of four or five unrelated words, both work. Length is the single biggest factor.
- Unique for every account. This is the one that saves you when a site you forgot about gets breached. No exceptions for the “important” accounts.
- Random, not personal. No birthdays, pet names, or anything a quick look at your social media would reveal.
- Let a tool remember them. Nobody can memorize 80 unique 20-character strings. A password manager is what makes “unique everywhere” realistic.
Make one right now
Don’t invent passwords in your head. We’re bad at randomness, and patterns we think are clever are the exact patterns attackers try first. Generate them instead.
The password generator and strength checker does both: it spits out long random passwords you can tune for length and character types, and it rates the strength of one you already use so you can spot the weak ones. Two things worth knowing about it. It runs entirely in your browser, so the passwords are generated on your device and never sent anywhere (which is the only way you should trust an online password tool). And the strength meter is a quick sanity check, not a promise: a result of “strong” still means nothing if you’ve used that password somewhere else.
Generate a fresh one, drop it into your password manager, and move on. That’s the whole ritual.
A short checklist
- Turn on passkeys anywhere a site offers them.
- For everything else, use a generated, unique password per account.
- Turn on two-factor authentication, ideally an app or a hardware key rather than SMS.
- Use a password manager so “unique everywhere” is actually doable.
- If you reused one password in the past, change it on your email and bank first. Those are the dominoes that knock over everything else.
FAQ
Are passkeys actually safe?
Yes, and safer than passwords for most people. The secret never leaves your device and can’t be phished or leaked in a server breach. The main wrinkles are device loss and account recovery, which are improving.
Do I still need strong passwords if I use passkeys?
Yes. Most sites don’t support passkeys yet, and many that do keep your password as a fallback. A weak fallback undoes the benefit.
Is it safe to use an online password generator?
Only if it runs in your browser and never sends the password anywhere. The generator here works locally, so nothing leaves your device.
What makes a password strong?
Length first (16+ characters), true randomness, and being unique to that one account. Symbol-juggling matters far less than those three.
Ready? Generate a strong one with the password generator & strength checker (it runs locally, nothing is uploaded), then store it in your manager.