You’ve spent years being told to get better at passwords, to make them longer, make them stronger, use three words, don’t reuse them, add symbols, change them often… Maybe even write them down somewhere “safe” because there’s no chance you’ll remember them all.
And now, quietly but decisively, the UK’s intelligence and cybersecurity agency, GCHQ (Government Communications Headquarters) is changing the message through its public-facing arm, the NCSC (National Cyber Security Centre). Not “do passwords better.” but to start moving beyond them entirely.
This isn’t just another security update
The NCSC is very clear that passwords are no longer considered strong enough for the world you’re living in now. The threat landscape has changed, and passwords, even “good” ones haven’t kept up.
That might feel counterintuitive. After all, you’ve been told that a strong, unique password is the foundation of your security. But the reality is that most attacks don’t bother trying to crack your password anymore. They just trick you into giving it away, or grab it from a breach somewhere else.
Once that happens, it doesn’t matter how clever your mix of symbols and numbers was. It’s already out there. So instead of asking you to work harder at something that’s fundamentally flawed, the NCSC is pointing you towards a different approach.
Passkeys: the beginning of the end for passwords
The shift centres on passkeys. You might have seen the option pop up when logging into Google, PayPal, or similar services and ignored it up to now, but that small prompt is actually a glimpse of where things are heading.
A passkey means you don’t type anything in at all. You just confirm it’s you, with your fingerprint, your face, or your device PIN, and you’re in. It feels almost too simple, which is partly why people hesitate. But behind that simplicity is a completely different system. Instead of a shared secret (your password), your device and the service you’re logging into use a pair of cryptographic keys that only work together.
There’s nothing to remember. Nothing to reuse, and crucially, nothing useful for an attacker to steal remotely. That’s why the NCSC now says passkeys should be your first choice wherever they’re available,and goes as far as to say it no longer recommends using passwords in those situations.
Why this change actually makes you safer
It’s easy to assume this is mostly about convenience, fewer passwords to remember, fewer resets, less friction. And yes, it does make your life easier.
But the bigger change is what it removes. Think about the most common ways accounts get compromised: phishing emails, fake login pages, reused passwords from old breaches. All of those rely on one thing, you typing a password into somewhere you shouldn’t. Passkeys remove that entirely, there’s nothing to type, so there’s nothing to trick you into handing over.
Even if a company you use gets hacked, the attacker doesn’t walk away with something they can reuse elsewhere. The piece that matters stays on your device. In practical terms, it closes off entire categories of attack that have been the backbone of cybercrime for years.
What steps should you take?
You don’t need to drop everything and overhaul your digital life right now, but you should start shifting your habits in the same direction the guidance is pointing. When you’re offered the option to create a passkey, it’s worth taking it. It might feel unfamiliar at first, but it’s designed to be easier, not harder.
At the same time, passwords aren’t disappearing overnight. You’ll still be using them in plenty of places for a while yet. The difference is how you think about them. They’re no longer your first line of defence, more like a legacy system you’re gradually moving away from.
Using a password manager, keeping passwords unique, and turning on two-factor authentication still matters. But increasingly, those are stepping stones rather than the end goal.
The bigger shift
For years, security advice has put the burden on you, to be more careful, more complex, more disciplined. Yet, despite all that effort, people still get caught out, not because they’re careless, but because the system was never that forgiving to begin with.
Passkeys flip that around. They’re designed so you don’t have to get everything right all the time. The system does more of the work for you.
GCHQ isn’t just nudging you to improve your passwords, it’s making something very clear: relying on passwords alone is no longer enough. The risks are real, and they’re happening every day, through phishing, data breaches, and reused logins that give attackers an easy way in.
Passkeys give you a way to protect your accounts without the stress of remembering dozens of passwords or worrying about getting it wrong. They’re designed to shut down the most common types of attacks before they even start.
So the next time you see the option to set one up, don’t ignore it, try it. Use it on one account and see how it works, because improving your security no longer means making your life harder, it means choosing tools that do a better job of protecting you, and right now, moving beyond passwords is one of the simplest, most effective steps you can take to keep your data safe.
If you have any thoughts on this topic, or any other consumer issues you would like us to cover, feel free to get in touch with us at support@resolver.co.uk