Myths

7 Password Myths That Are Putting You at Risk

By Leo Martin · · 7 min read

Here's the short version: most of the password "rules" we grew up with are outdated. The advice that actually keeps you safe is simpler than the old myths — make each password long and unique, and let a tool do the remembering. Let's clear up the seven misconceptions that trip people up most.

Myth 1: "You must change your passwords every month"

For years, workplaces forced people to reset passwords on a schedule. It felt responsible. In practice, it backfired. When you're made to invent a new password every few weeks, you don't create seven unrelated strong passwords — you nudge the same one along: Summer2025! becomes Summer2026!, then Autumn2026!. Attackers know this pattern well.

The modern guidance is to change a password when there's a reason: you've heard a service was breached, you shared a login with someone, or you suspect it leaked. Otherwise, a strong, unique password can quietly do its job for a long time. Rotating it on a calendar mostly creates predictable, weaker variations.

Myth 2: "Complexity matters more than length"

Cramming in symbols and capitals feels secure, but it's length and unpredictability that really make a password hard to crack. Each extra character multiplies the number of possible combinations an attacker has to work through. A long passphrase like four or five random words can be far stronger than a short, fiddly password with a sprinkle of punctuation — and you can actually type it.

If you want to see this for yourself, run a few examples through our password strength analyser. You'll usually find that adding length raises the strength score much faster than adding symbols does.

Myth 3: "Swapping letters for numbers makes you safe"

Replacing an a with @ or an e with 3 is one of the oldest tricks in the book — which is exactly the problem. Password-cracking software has these substitutions built in. Turning password into p@ssw0rd barely slows an attacker down, because the tools try those swaps automatically. Predictable patterns aren't randomness, no matter how clever they look.

Myth 4: "Never write a password down"

This advice made sense in an office full of sticky notes on monitors. But a password on a slip of paper in a drawer at home is invisible to someone attacking you from the other side of the world. The far bigger danger is reuse — using one password across many sites, so a single leak unlocks your whole life.

A password manager is the better answer because it stores a different strong password for every account behind one master key. But if the choice is between writing unique passwords in a notebook you keep safe, or reusing the same one everywhere, the notebook wins.

Myth 5: "A strong password is enough on its own"

Even a brilliant password can be undone if a website is breached and your details leak, or if you're tricked into typing it on a fake login page. That's why two-factor authentication matters so much. With a second step — a code from an app, or a physical security key — a stolen password alone isn't enough to get in. Turn it on for your email, banking and anything important.

Myth 6: "Hackers are personally targeting me and my dog's name"

It's natural to imagine someone studying your life to guess your password. In reality, most attacks are automated and impersonal. Criminals take huge lists of usernames and passwords from old breaches and try them across thousands of sites at once, betting that people reuse logins. They rarely care about you specifically — they care about volume. I cover exactly how this works in how hackers actually guess your passwords.

Myth 7: "Password managers are risky — putting all your eggs in one basket"

This is the worry I hear most, and it's understandable. But reputable managers encrypt everything so that only you, with your master password, can unlock the vault. The provider can't read your passwords, and neither can an attacker who only steals the encrypted data. Weigh that against the alternative most people fall back on — reusing a handful of passwords everywhere — and the manager is the safer basket by a wide margin.

So what should you actually do?

Forget the rituals and focus on three things that genuinely move the needle:

  • Make every password long and unique. Generate them rather than inventing them — try our free password generator, which builds random passwords right in your browser.
  • Use a password manager so you never have to remember or reuse a single one.
  • Switch on two-factor authentication wherever it's offered, starting with your email.

Do those three, and you've already left the old myths — and most attackers — behind.

Want memorable instead of random? If you'd rather not lean on a manager for a few key logins, read how to create a strong password you'll actually remember.

Frequently asked questions

Should I change my passwords every month?

No. Routine forced changes tend to push people toward weaker, predictable variations. Change a password when there's a reason to — a breach, a shared device or a suspicion it has leaked — and otherwise keep a long, unique password for each account.

Does adding symbols make a password much stronger?

A little, but length and unpredictability matter far more. A long passphrase of random words is usually stronger than a short password stuffed with symbols, and much easier to live with.

Is writing a password down always a bad idea?

Not necessarily. A password kept on paper at home is safe from remote attackers. The bigger risk is reusing one password everywhere. A password manager is better still, because it can store unique passwords for every site.

Are password managers safe to trust?

Reputable password managers encrypt your data so only you can read it, and they remove the temptation to reuse passwords. For most people the security gain far outweighs the risk of using one.

This article is general security education, not professional advice.