One of the regular surveys into our password habits has revealed that they're still mostly terrible, with plenty of people using the easiest, most obvious, guessable options to protect their precious online lives, and two-factor authentication reserved for the hardcore and the paranoid.
It seems people are happy to use the same password across multiple sites and have "123456" protecting their main email account (and therefore their access to their entire data universe), despite regular warnings about how this isn't a great idea as if one thing gets hacked everything else falls with it.
But how can you encourage people to be more interested in using complex passwords and authentication methods, when there's no immediate downside to having password for a password?
It's kind of a boring thing, but, like wearing a seatbelt or replacing the battery in your fire alarm, one that can make things much better for you in the long run should something bad happen.
And not 2820 either
As people clearly can't be trusted, perhaps there should be a two-tier internet, like the filtered versions arriving in the UK thanks to the ISPs and their adult content blockers.
If your password is 123456 or "password," you get a special version of the internet, one that's filtered, and presented entirely in Comic Sans, so you can't do any damage to yourself or others.
Banking sites are blocked, online shopping accounts require an adult signed in with a proper password to vouch for you, plus email is limited to read only as you're clearly a bit too stupid to be trusted to converse with grown-ups.
And if people complain about that, it must come down to the service providers to force their users to comply to proper password rules.
My internet bank requires me to turn up at a branch with a urine sample and a letter from my dad it's so bloody hard to sign in to it these days, but Gmail's happy for me to use the same password I've used for everything since 1996.
Who's wrong there? I'm less likely to do any internet banking because it's such a chore to use the special codes, memorable words, card readers and devices they need to verify I'm me and not a Russian bot, whereas Gmail's always open because it stays logged in and is, therefore, my friend.
If Gmail forced everyone to use two-factor authentication, people would stop using Gmail because of the additional fuss it'd generate and move to a less secure option. That's how lazy we all are.
But then again, aren't we all constantly being hacked in much more intelligent and imaginative ways than people guessing our passwords nowadays? Guessing passwords is a bit 1980s.
When you've got gangs putting fake card readers over the top of ATM slots to steal PIN numbers and keyloggers installing themselves in the background when you visit web sites, bothering about secure passwords feels like fighting a pointless, losing battle.
Someone's going to find out your password and special numbers no matter what they are or how many odd alternate characters and capital letters you're using, so perhaps the only defence and way to stay sane is to stop caring and hope it doesn't happen to you.
That's the same way we manage to not worry about getting crushed by falling masonry when going outside. Imagine it won't happen to you, and if it does, don't worry, as someone will probably help pick up the bits.
Sign up to receive daily breaking news, reviews, opinion, analysis, deals and more from the world of tech.