Why passwords are crumbling
People crave simplicity. Memorizing a long mix of letters, numbers, and symbols is a hassle, so most choose something quick and easy. But even if you’ve been disciplined enough to create a complex password, it’s still stored in a company’s database.
And databases get hacked.
Regularly.
Password leaks: A few stories to consider
- McDonald’s, 2025: An AI-powered hiring chatbot was running with the login Admin and the password 123456. The result? Over 64 million job applications leaked, including phone numbers, email addresses, education, and work history. [1]
- Yahoo, 2013: The largest breach in history: over 3 billion accounts compromised, including passwords and security questions. [2]
These stories have one big thing in common: even corporations with multi-million-dollar cybersecurity budgets aren’t immune to failure.
Best practices for password storage
Even though we’re moving past passwords, they’re still widely used. So it’s worth understanding how to store them properly — especially if you run a platform or app.
Never store passwords as plain text
Passwords should always be hashed using strong algorithms like bcrypt or argon2. This makes it computationally expensive to reverse-engineer them.
Add salt
Salting ensures that even if two users choose the same password, their hashes will be different. This is a critical protection against rainbow table attacks.
Use key stretching
This technique makes brute-force attempts significantly slower, buying you time and reducing risk if a breach occurs.
Still, even with these practices, the mere fact that user credentials are stored on servers makes them a potential target. Which is why the goal should be to eliminate password storage altogether.
Best practices for password construction and re-use
If you must use passwords, here’s how to do it safely:
Use long, random passwords
Length > complexity. A random 20-character password is far more secure than a short one with symbols.
Example: qH7T#sY9!GmK3*vBxZlP
Avoid re-using passwords
One reused password = access to all your accounts. Data leaks make it easy for attackers to try the same credentials on multiple sites (called credential stuffing).
Use a password manager
This helps you generate and store unique, strong passwords for every site, reducing your mental burden and boosting security.
But even the best password is still just... a password. It can be guessed, phished, leaked, or brute-forced.
What is Multi-Factor Authentication and why is it important?
Multi-Factor Authentication (MFA) adds a second (or third) layer of protection, combining something you know (password), something you have (device), or something you are (biometrics).
For example:
- Password + SMS code
- Password + mobile authenticator app (TOTP)
- Password + fingerprint scan
MFA significantly reduces the chance of account takeover, especially in cases where passwords have been leaked or stolen.
But it’s not perfect:
- SMS codes can be intercepted via SIM swap attacks
- Authenticator apps are only as secure as the device they live on
Still, MFA is a must-have when using password-based systems. It's the equivalent of putting a deadbolt on your door instead of relying on a simple latch.
The core flaw of the old password model
A password is a single key. You hand it to someone else and hope they keep it safe. But if they fail, a stranger gets access to your “home.”
So here’s the question: should you really trust anyone else with your only key?
When accounts disappear: The NymVPN Approach
Imagine a service with:
- No logins
- No passwords
- No massive credential databases to hack
Instead of traditional accounts, NymVPN uses a seed phrase — a unique combination of words that serves as your private key. This means you don’t register, you don’t create a username or password, and you don’t depend on any centralized authority to manage your identity.
What Is a seed phrase?
A seed phrase (also called a recovery phrase or secret phrase) is a sequence of usually 12 or 24 randomly generated words. It represents your cryptographic identity and is used to securely generate private keys.
Example (don’t use this one):
acoustic banana fluid melt virus black turtle flavor cement famous onion swim
This phrase is only shown to you during setup. It's never stored on a NymVPN server or transmitted over the internet. You are the sole owner and custodian of this phrase.
Why it’s more secure
Because there’s nothing stored on a server, even if NymVPN were hacked, there’s nothing for attackers to steal:
- No database of user credentials
- No session logs tied to identities
- No recovery emails that can be spoofed
The seed phrase exists only on your device, and ideally you store it offline — written on paper or saved in a secure password manager or hardware wallet.
What are zero-knowledge proofs — and why do they matter?
Zero-knowledge proofs (ZKPs) are a powerful privacy tool that let you prove something is true without revealing the actual information behind it.
Imagine being able to prove you're over 18 without showing your birth date, or prove you paid for a service without revealing your identity or transaction details.
That’s the magic of ZKPs: they separate verification from data exposure.
In the context of Nym, zero-knowledge proofs in the form of zk-nyms help users verify access or participation to NymVPN without tying it to a specific account or revealing personal data. They’re part of what makes privacy-preserving infrastructure like Nym possible: a system where you can interact securely without leaving behind identifiable traces.
ZKPs shift the web from a "show everything to prove anything" model to a smarter, need-to-know-only standard — one that respects your right to stay private by default.
