Everything you've been told about passwords is a lie. Here's what to do instead

The whole system of online passwords is dumb and unsafe.

Demanding that you create a unique, complicated password on hundreds of digital accounts is error-prone and annoying. Most of the advice you hear about passwords - including from technology journalists like me — is unrealistic, scolding and sometimes outdated.

I have tips for upgrading your password practices, including if you're dealing with a recent breach of a password vault called LastPass. I know that tending to your online security is a hassle. But if you make one small improvement, you can declare victory.

I also want you to have this long-term mission in mind: Passwords must die.

There is hope. Just in the past few months, more websites and apps have started to let you ditch your password entirely. Instead your phone, fingerprint or face are proof that you are you.

Technologists have been promising a password-less future for a long time. This won't happen soon. But internet security is broken beyond repair. We need to move past the password.

In the meantime, you are a security star if you take just one of these steps:

To create the best password, try to make it at least 16 characters. The more characters, the more time hackers need to guess your password. Don't worry so much about having a bunch of symbols, capital letters and numbers.

Security experts recommend using memorable phrases as passwords, with a twist. If you like nursery rhymes, try the password, "L1ttleMi$sMuffetSatOnATuffet," with a number and symbol replacing a couple of letters. Or mush together four words into nonsense like "TumblerElbowMerinoWoodpecker."

Not every online account lets you set up passphrases like that, because of requirements derived from obsolete government security guidelines.

Again, there is too much individual responsibility and blame on you. You know you're not supposed to create easy-to-guess passwords like "RedSox04" or reuse your passwords on multiple sites. But no human can invent and remember hundreds of complex passwords.

Try to prioritize by creating strong passwords or passphrases for your most important accounts such as email, financial accounts and password managers. (More on them in a minute.)

Needing a password plus a second step to log into an account - such as a code that is texted to you - protects you much better than logging in with just a password.

If you can manage it, add two-step authentication to your essential accounts like email, social media and your bank accounts.

This is common online security advice that most people don't take. Don't blame yourself. It takes work and not all online accounts let you use two-step authentication. (This website lets you look up the options for websites and apps you use.)

Using a dedicated app for one-time codes like Authy, Microsoft Authenticator or Google Authenticator is more secure than receiving codes by text. But don't get too hung up on those details.

Use a password manager if you can

You create a single password to your password vault, and these services save the rest.

Password managers aren't foolproof. I'd also rather scrub my bathtub than set them up. But they are a smart investment in your online security.

I have used Dashlane for years, and while it's not cheap - I pay about $65 a year - I find it easy to use and worth the peace of mind. It also delights me by typing in passwords and credit card numbers automatically.

As a backup to memorizing my Dashlane passphrase, I have it written down on two slips of paper, one that I keep in my desk drawer and another in my wallet.

If you're thinking, what if a thief steals my wallet and has access to all my passwords? Is it safe to store all your passwords in one place? Nothing is zero risk. But anything you do with a password manager is probably a security upgrade. Please don't try to be perfect.

A caveat about LastPass

LastPass, one of the better-known password management services, recently disclosed that hackers stole copies of usernames and passwords.

LastPass told customers that they're probably safe because essential information including passwords was scrambled. That makes it harder for crooks to make sense of what they stole.

But Chester Wisniewski, an internet security researcher with the firm Sophos, told me that he's alarmed about years of red flags with LastPass. He recommended that users consider switching to an alternative.

Wisniewski said he feels confident in password managers 1Password, Bitwarden and Dashlane.

Wisniewski also said that LastPass might still be a good option for you. An alternative like using your child's name as your password is far less secure.

The future you want: No passwords

Have I mentioned that the system of passwords is dumb and you can only do so much to protect yourself in this broken system? Yes?

Here's where things start to get promising.

Some companies, including Microsoft, Best Buy and PayPal, have started to give you the option of accessing your account with no password.

Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That's it.

Microsoft told me that nearly half a million people have removed the password from their accounts and opted to log in without a password.

This password-less system, which the technology industry is calling "passkeys," is now baked into Android phones, iPhones, personal computers and major web browsers.

For now, going without a password isn't seamless. When I created a PayPal account in the iPhone app and confirmed I wanted to use iPhone's FaceID to log in, I still needed to create a password. Still, the technology is getting there.

It's worth rooting for passkeys to kill the password system for good, although this will take many years.

Even better, it's simpler to access your accounts with just your device, finger or face. It's not a problem if you lose your phone or computer. And logging in without a password will become easier over time.

If your accounts give you the option of the password-less log in called passkeys, definitely try it.

I usually roll my eyes when I hear that magical technology will fix a broken existing technology. In this case, yeah, passkeys might be the magic fix.

You can make yourself safer within the stupid password system we have today. But it's even better to end the tyranny of passwords forever.

One tiny win

With the help of Dashlane, I made longer passwords to my Google account and my financial accounts. I also replaced the 10-character Dashlane password with a 20-character passphrase of four mushed-together words.