Passwords and Logging In

Logging In With Backbone

Digital security doesn't have to be complicated. It becomes strong as soon as you repeat a few fixed choices consistently.

In Passwords and Logging In, what matters most is robust identity: strong authentication, reliable session management, and minimal privilege.

The goal is not perfection, but predictably safe behavior that holds up even on busy days.

Immediate measures (15 minutes)

• Take immediate basic measures: MFA, password manager, and updates.
• Use secure default settings for privacy, browser, and device.
• Establish a recovery plan for account loss, scams, or data breaches.

Why this matters

The core of Passwords and Logging In is risk reduction in practice. Technical context supports the choice of measures, but implementation and assurance are central.

The night 32 million passwords were exposed

In December 2009, a hacker broke into RockYou, a company that made games for Facebook. Not particularly noteworthy, you might think. But RockYou had a peculiarity: they had stored the passwords of all their 32 million users in plain text. No encryption, no protection, just a gigantic file with passwords next to email addresses.

The file leaked. And with that, researchers got their first unfiltered look at how people choose their passwords. The result was -- how do you put it politely -- disappointing.

The most commonly used password? 123456. Followed by 12345, 123456789, password, and iloveyou. More than a million people had chosen 123456. A million people all thought: this is probably secure enough.

That was in 2009. And do you know what the most commonly used password is in 2025? Still 123456. In sixteen years, we have learned absolutely nothing.

Until now. Because after this chapter, you'll know how to do it right.

Why "Welcome123!" is not a good password

Let's start with an uncomfortable truth. Most people think their password is hard to guess. It isn't.

An attacker who wants to crack passwords doesn't type them one by one. They use a computer that can try millions of combinations per second. And that computer doesn't start at aaaaaa. It starts with a list of the most common passwords in the world.

Here is a simplified overview of how quickly a password can be cracked:

Password	Crack time
123456	Less than 1 second
Welkom123!	Less than 1 second (on every wordlist)
Zomer2024	A few seconds
P@ssw0rd!	Less than 1 second
kaas	Less than 1 second
mijnkatMiesjeisLief	Hours to days
correcte-paard-batterij-nietje	Centuries

Notice the pattern. It's not about capital letters, exclamation marks, or replacing an 'o' with a zero. Computers know that trick too. What works is length and unpredictability.

The hard truth: An eight-character password with uppercase letters, lowercase letters, digits, and symbols has fewer possible combinations than a password of five ordinary English words strung together. Length always beats complexity.

What makes a password actually strong?

Forget everything you've ever learned about passwords with mandatory capital letters and special characters. Those rules are outdated. Even the American National Institute of Standards and Technology (the organization that originally came up with those rules) withdrew them in 2017.

The modern approach is called: passphrases.

Instead of K@tje!42, you use a sentence of random words. For example:

• "bicycle lamp castle tuesday"
• "coffee sunflower slipper Nigeria"
• "the cat wore a top hat to the baker"

Four or five random words. That's all. No exclamation marks needed. No digits needed. The length does the work.

How do you choose good words?

The words must be random. Not your favorite football club followed by your birth year. Not the name of your cat plus your street name. Random.

A fun method: grab a dictionary, a newspaper, or a magazine. Open random pages and point at a word with your eyes closed. Do that four or five times. Done.

Tip: A passphrase is easier to remember and harder to crack than a short, complicated password. "crocodile insurance hydrogen piano" is millions of times safer than "Cr0c0d!l1".

Password managers: your digital vault

"But I have hundreds of accounts! I can't possibly remember a separate passphrase for every account?"

Correct. And you don't have to. That's what password managers are for.

A password manager is a program that stores all your passwords in an encrypted vault. You only need to remember one password: the master password of the vault itself. For that one password, you create a good, long passphrase. The program handles the rest.

What does a password manager do?

• Stores all your passwords securely encrypted
• Generates strong, unique passwords for every account
• Automatically fills in your login credentials on websites
• Warns you if a password has been leaked in a data breach
• Works on your computer, phone, and tablet

Which one to choose?

Password manager	Price	Works on	Notable features
Bitwarden	Free (basic version)	Everything	Open source, very reliable
KeePass	Free	Everything (via apps)	Storage on your own device, nothing in the cloud
1Password	Paid (approx. 3 euros/month)	Everything	User-friendly, family plan
Your browser's built-in manager	Free	Only that browser	Better than nothing, but a standalone manager is safer

Recommendation for beginners: Start with Bitwarden. It's free, works on all devices, and the company has an excellent reputation. Install the app on your phone and the extension in your browser.

Step by step: Setting up Bitwarden

1. Go to bitwarden.com and create an account
2. Choose a strong master password -- this is the only passphrase you need to remember, so make it a good one (four or five random words)
3. Install the Bitwarden app on your phone (via the App Store or Google Play)
4. Install the Bitwarden extension in your browser (Chrome, Firefox, Safari, or Edge)
5. Start saving your passwords. Every time you log in somewhere, Bitwarden offers to save the password
6. Gradually replace your old, weak passwords with strong generated passwords

Two-factor authentication: the extra lock on your door

Imagine someone somehow finds out your password. Through a data breach, by looking over your shoulder, or because you accidentally entered it on a phishing site (see chapter 1).

If you only have a password, that person is now in. But if you have two-factor authentication enabled -- often abbreviated as 2FA -- then that person still doesn't have enough.

Two-factor authentication means: besides your password (something you know), you need a second proof. Something you have. Usually, that's your phone.

The three types of 2FA

Method	How it works	Security
SMS code	You receive a text message with a code that you must enter	Better than nothing, but not ideal -- text messages can be intercepted
Authenticator app	An app on your phone generates a new code every 30 seconds	Good -- works even without an internet connection
Hardware key	A physical device (e.g., a YubiKey) that you plug into your computer or hold against your phone	Excellent -- virtually impossible to hack

Which method to choose?

For most people, an authenticator app is the best balance between security and convenience. The most popular options:

• Microsoft Authenticator (free, works everywhere)
• Google Authenticator (free, simple)
• Esso / Authy (free, with backup capability)

Tip: Prefer an authenticator app over SMS. In rare cases, criminals can take over your phone number (an attack called "SIM-swapping"), and then they receive your SMS codes.

Step by step: Enabling 2FA

1. Install an authenticator app on your phone
2. Log in to the account you want to secure (e.g., your email)
3. Go to the security settings of that account
4. Look for "two-step verification," "two-factor authentication," or "2FA"
5. Choose the option "authenticator app"
6. Scan the QR code that appears with your authenticator app
7. Enter the code the app displays to confirm it works
8. Save the recovery codes you receive in a safe place (on paper, in a drawer). If you lose your phone, you'll need them

Where should you absolutely enable 2FA?

Start with your email (whoever gets in can reset all your other passwords), then your DigiD, your password manager, and your social media. Your bank probably already has it by default via the app.

Passkeys: the future without passwords

There is good news. The technology world is working toward a world without passwords. The solution is called passkeys.

A passkey is a digital key stored on your device. When you want to log in, you prove it's you with your fingerprint, facial recognition, or your phone's PIN code. No password to remember. Nothing to type. Nothing to phish.

Here's how it works:

1. You create an account on a website that supports passkeys
2. Instead of choosing a password, you create a passkey
3. Your phone or computer stores the key securely
4. When you want to log in, you confirm with your fingerprint or face
5. Done

Apple, Google, and Microsoft already support passkeys in their operating systems and browsers. More and more websites are offering it: Google, Microsoft, Amazon, eBay, PayPal, and many others.

Tip: If a website gives you the option to set up a passkey, do it. It's safer than any password, and it's easier to use.

Passkeys are not yet available everywhere, so you'll still need passwords for now. But start using them where you can, and you'll be ready for the future.

DigiD: your digital identity document

DigiD is special. It's not just an account -- it's the key to your tax return, your health insurance, your pension, your municipal affairs. If someone gains access to your DigiD, that person can handle government matters on your behalf.

Secure your DigiD in three steps

1. Use the DigiD app instead of just a password. The app automatically adds a second factor via your phone.
2. Enable SMS verification as extra security. Go to mijn.digid.nl and activate this under "Login."
3. Choose a strong password -- a passphrase of four or more words. Don't use this password anywhere else.

Note: The government, the Tax Authority, or your municipality will never ask you by email or text message to enter your DigiD credentials. If you receive such a message, it is always phishing. Always.

DigiD security levels

Level	What it entails	When needed
Basic	Username + password	Simple matters
Medium	App or SMS verification	Tax returns, health matters
Substantial	DigiD app with identity document	Official documents
High	DigiD app with identity document + PIN code	Highly sensitive matters

Aim for at least the "Medium" level by installing and activating the DigiD app.

Password reuse: the domino effect

This is perhaps the most important message of this entire chapter.

Never use the same password for multiple accounts.

Never. Truly never.

Here's why. Suppose you use the same password for your email, Facebook, an online shop, and an old forum. That forum gets hacked. The attackers now have your email address and password. What do they do? They try that same combination at hundreds of other websites. Gmail, Facebook, Amazon, PayPal, your bank. This is called credential stuffing -- "stuffing" stolen login credentials into other services. And it works astonishingly well. That one domino falls, and the rest follows.

How do you know if your data has been leaked?

Go to haveibeenpwned.com -- a free, reliable website run by security researcher Troy Hunt. Enter your email address and you immediately see whether it appears in known data breaches.

Tip: Don't panic if your email address appears in one or more breaches. That applies to most people. The most important thing is what you do about it: change the password of every service that appears in the breach, and make sure you use a unique password everywhere.

The password hierarchy

Not all accounts are equally important. Don't treat them that way.

Level	Examples	What you need
Critical	Email, DigiD, password manager, banking	Strong passphrase + 2FA + regular checks
Important	Social media, online shops with payment details, cloud storage	Unique generated password + 2FA where possible
Other	Forums, newsletters, one-time accounts	Unique generated password

The core rule: Every account gets its own password. No exceptions. Your password manager makes this effortless.

Common mistakes

Mistake	Do this instead
Passwords on a Post-it by your screen	Use a password manager
Passwords in a Word file or note app	Use a password manager (it's encrypted)
Sharing passwords via WhatsApp or email	Share via your password manager (it has a sharing feature)
Using the same password everywhere	Every account gets its own password
Logging in on public computers	Avoid it; use your own phone

Do this today

The most important steps you can take right now. In order of impact.

• Check on haveibeenpwned.com whether your email address appears in known data breaches
• Install a password manager (start with Bitwarden -- it's free)
• Think of a strong passphrase of four or five random words as your master password
• Enable two-factor authentication on your email account (this is the single most important step)
• Enable two-factor authentication on your DigiD via the DigiD app
• Replace your three most-used passwords with unique passwords generated by your password manager
• Check whether you use the same password anywhere as for your email -- if so, change it immediately
• Set a reminder in your calendar for one month from now: "replace five more passwords" -- make it a habit

You don't have to do everything at once. Start today with your email and your password manager. Replace a few passwords every week. In a month, you'll have a digital life that is a hundred times safer than yesterday. And the only thing you need to remember is that one passphrase.

← Previous Recognizing Phishing and Scams Next → Securing Your Phone