For now, they are necessary, as well as regularly re-used, and sometimes leaked when hackers access private information. When you forget yours, the process to log back into an account you're locked out of is clunky and not as secure as it could be.
Facebook (FB, Tech30) wants to change that, and eventually, to make passwords obsolete.
Facebook's F8 developer conference on Tuesday brought the launch of the beta version of Delegated Account Recovery, a way for the social network to be the backup security key in case you forget your password on different, non-Facebook services.
The idea: If you forget your password on an app or website, it will instead use Facebook to verify you are who you say you are. You will have to prove yourself through exercises like recognising friends' photos in order to log into your other account.
"We want to make sure we can let you use [identifying] information to keep yourself secure, but not have to trade your privacy," Facebook security engineer Brad Hill told CNNTech. "Right now you tell your mother's maiden name to 500 different places and if any one of them gets hacked, then you're vulnerable everywhere."
Think about the last time you forgot your password. The website likely sent a link to your email to reset your password, or texted a code to your mobile phone. You might have answered security questions, like your mother's maiden name or the moniker of your first pet.
Facebook says its method is more secure. Text messages are unencrypted, and email accounts can be hacked. Further, Facebook's Delegated Account Recovery works even if someone switches their phone number or email address.
People might be skeptical about trusting Facebook with other accounts. The company knows everything about you, and uses your information to advertise to you. And of course, if your Facebook account is hacked, the bad guys can log into your other accounts that way, too.
But Hill insisted Facebook has safeguards in place to recognise fraudulent activity, and will alert you if anything seems amiss. If, say, Facebook knows you always log in via your iPhone in California, an attempt from Russia on an Android will be flagged.
Facebook also limits how many third-party accounts can be recovered at one time, and the company won't know the details of those other accounts. For example, say you use Facebook as your backup code for your bank. Facebook will know you use the bank's services, but it doesn't know anything about your bank account.
For now, developers must apply to use the tech. Facebook is open-sourcing this technology so eventually any company can use it – that is, even if you don't trust Facebook with your identity, you might trust another organisation that implements the tool.
Delegated Account Recovery doesn't replace passwords. But it's a stepping stone in Facebook's efforts to improve and eventually replace the security mechanisms we currently use. You probably already use another one: Facebook Login lets you remember one less password when you sign up for third-party apps.
Google (GOOG), too, is working on products to get rid of the password. Both firms support Yubikey, a physical key you plug into your computer that acts like a password.
Hill said Facebook's account recovery feature will also benefit people just beginning to use the internet, who may have Facebook accounts but not an email or phone number. Instead, he said, people in emerging markets might get accustomed to using social identities as a login authenticator -- not the assortment of letters and numbers that we use as passwords.
"Facebook's one of the best pieces of online identity they have, and it can be a great anchor for them to get connected to more services," Hill said.