The end of the password era, but not the end of data security

Why passwords are crumbling

People crave simplicity. Memorizing a long mix of letters, numbers, and symbols is a hassle, so most choose something quick and easy. But even if you’ve been disciplined enough to create a complex password, it’s still stored in a company’s database.

And databases get hacked.

Regularly.

Password leaks: A few stories to consider

• McDonald’s, 2025: An AI-powered hiring chatbot was running with the login Admin and the password 123456. The result? Over 64 million job applications leaked, including phone numbers, email addresses, education, and work history. [1]
• Yahoo, 2013: The largest breach in history: over 3 billion accounts compromised, including passwords and security questions. [2]

These stories have one big thing in common: even corporations with multi-million-dollar cybersecurity budgets aren’t immune to failure.

Best practices for password storage

Even though we’re moving past passwords, they’re still widely used. So it’s worth understanding how to store them properly — especially if you run a platform or app.

Never store passwords as plain text

Passwords should always be hashed using strong algorithms like bcrypt or argon2. This makes it computationally expensive to reverse-engineer them.

Add salt

Salting ensures that even if two users choose the same password, their hashes will be different. This is a critical protection against rainbow table attacks.

Use key stretching

This technique makes brute-force attempts significantly slower, buying you time and reducing risk if a breach occurs.

Still, even with these practices, the mere fact that user credentials are stored on servers makes them a potential target. Which is why the goal should be to eliminate password storage altogether.

Best practices for password construction and re-use

If you must use passwords, here’s how to do it safely:

Use long, random passwords

Length > complexity. A random 20-character password is far more secure than a short one with symbols. Example: qH7T#sY9!GmK3*vBxZlP

Avoid re-using passwords

One reused password = access to all your accounts. Data leaks make it easy for attackers to try the same credentials on multiple sites (called credential stuffing).

Use a password manager

This helps you generate and store unique, strong passwords for every site, reducing your mental burden and boosting security.

But even the best password is still just... a password. It can be guessed, phished, leaked, or brute-forced.

What is Multi-Factor Authentication and why is it important?

Multi-Factor Authentication (MFA) adds a second (or third) layer of protection, combining something you know (password), something you have (device), or something you are (biometrics). For example:

• Password + SMS code
• Password + mobile authenticator app (TOTP)
• Password + fingerprint scan

MFA significantly reduces the chance of account takeover, especially in cases where passwords have been leaked or stolen. But it’s not perfect:

• SMS codes can be intercepted via SIM swap attacks
• Authenticator apps are only as secure as the device they live on Still, MFA is a must-have when using password-based systems. It's the equivalent of putting a deadbolt on your door instead of relying on a simple latch.

The core flaw of the old password model

A password is a single key. You hand it to someone else and hope they keep it safe. But if they fail, a stranger gets access to your “home.” So here’s the question: should you really trust anyone else with your only key?

When accounts disappear: The NymVPN Approach

Imagine a service with:

• No logins
• No passwords
• No massive credential databases to hack

Instead of traditional accounts, NymVPN uses a seed phrase — a unique combination of words that serves as your private key. This means you don’t register, you don’t create a username or password, and you don’t depend on any centralized authority to manage your identity.

What Is a seed phrase?

A seed phrase (also called a recovery phrase or secret phrase) is a sequence of usually 12 or 24 randomly generated words. It represents your cryptographic identity and is used to securely generate private keys.

Example (don’t use this one):

acoustic banana fluid melt virus black turtle flavor cement famous onion swim

This phrase is only shown to you during setup. It's never stored on a NymVPN server or transmitted over the internet. You are the sole owner and custodian of this phrase.

Why it’s more secure

Because there’s nothing stored on a server, even if NymVPN were hacked, there’s nothing for attackers to steal:

• No database of user credentials
• No session logs tied to identities
• No recovery emails that can be spoofed

The seed phrase exists only on your device, and ideally you store it offline — written on paper or saved in a secure password manager or hardware wallet.

How it grants access

Each time you open [NymVPN](/blog/what-is nymvpn), you can:

• Enter your seed phrase to re-generate your access credentials
• Or store it locally (encrypted) so you don’t have to enter it every time

The seed is used to derive a cryptographic identity that proves who you are — without needing to "log in" or prove your email address to anyone.

This method ensures that:

• Only you can access your VPN identity
• You can recover your access on any device using your seed phrase
• Your digital identity is portable, decentralized, and resistant to censorship

This approach isn’t just a clever login method — it’s a paradigm shift in how identity and privacy work online.

What’s Next

Passwords belong to the past. Today, they’re a primary target for attackers. Tomorrow, they’ll likely be remembered only in cybersecurity history books.

The future lies in a model where your access key belongs solely to you — and you no longer depend on someone else’s servers to protect it.

References

[1] Wired

[2] Reuters