A user need only remember the master password for the password manager — preferably something like a seven-word diceware passphrase, easy to remember, hard to crack.

In 2017 NIST (National Institute of Standards and Technology) as part of their digital identity guidelines recommended that user passwords are checked against existing public breaches of data. The idea is that if a password has appeared in a data breach before then it is deemed compromised and should not be used. Of course, the recommendations include the use of two factor authentication to protect user accounts too.

Here at Twilio we’re fans of using a second factor to protect user accounts, but that doesn’t mean we’ve forgotten the first factor. Encouraging users to pick strong passwords is still the first line of defence for their accounts.