Opinion: Passwords as a concept are completely broken

Opinion: Passwords as a concept are completely broken

One of my pet dislikes in this industry is the way we handle passwords. I’ve thought that, as a concept, they are completely broken and have been for a long time.

We tell users:

  • Pick something really complex
  • Don’t write it down
  • Change it regularly
  • Use a different password for each site, and often for each role that you hold in each site
  • Deal with the fact that we apply different rules for passwords on each site

etc, etc.

Is this even humanly possible?

I don’t think it is. Yet we blame the users when they get it wrong. How can they be getting it wrong when we design a system that requires super-human ability to comply.

These guys are potential exceptions: [World Memory Championships] ( https://www.worldmemorychampionships.com/ )

We are the ones that are getting it wrong and it’s long overdue that we, as an industry, need to fix the situation, instead of assuming that users should just deal with it, and then blaming them when they can’t.

2026-04-16