World Password Day 2017 shows the future of passwords are biometrics and two-factor authentication. Psyomjesus/Wikimedia Commons

Thursday is World Password Day, a “holiday” of sorts on which internet users are encouraged to increase their personal security by improving their passwords. Luckily it’s a day that may finally be on its way out, as passwords increasingly become obsolete.

The amount of hacks, database break ins and digital theft in recent years have brought new scrutiny to passwords but make no mistake: they have always been an insecure means of protecting users.

Read: Is My Password Secure? How To Change, Make Strong Passcode After A Hack

For one, while there are ways to make passwords more secure—which amounts to making them more difficult to guess outright—most people still don’t exercise those best practices for password creation.

According to a survey conducted by SplashData, there are still plenty of people who use the most basic—and most flawed—passwords, including “123456” and “password.” Those options effectively amount to no password at all, as they would be one of the first things any enterprising hacker would attempt to guess.

On top of this, even if a user does create a secure, essentially unguessable password, they can still be at risk if the website or service they use the password for is unsecure itself.

Passwords for accounts are stored on a server. If that server is attacked, users have to hope the company storing their password properly encrypted their information so it cannot be easily deciphered. The most secure password in the world means nothing if it is stored in plain text and is directly associated with an account name.

Read: How To Sign Into Your Microsoft Account Without A Password

For World Password Day 2017, companies are encouraging users to “#LayerUp” in order to make their accounts more secure. This means activating two-factor authentication on accounts where available. Two-factor authentication adds an additional layer of protection by not only requiring a user enter a password, but also a secondary code sent to another device.

Two-factor authentication is an essential tool for staying protected online, but it exists for because passwords are so ineffective.

Earlier this year, Microsoft enabled its users to use its Microsoft Authenticator app to ditch passwords entirely. The tool works the same way as two-factor authentication, sending a temporary code to a device associated with the user account, but ditches the initial password entirely.

With the authentication code, the password is superfluous—and its very existence actually may make the account less secure. The password can be stolen remotely or even just guessed, whereas the device receiving the authentication code would have to be taken physically and has its own protection on it, like a PIN or fingerprint sensor.

Biometric tools are also becoming more common. On the iPhone and some Android devices, a fingerprint is all it takes to verify a person’s identity to complete unlock a device, complete a transaction or log in to an app.

It’s moving beyond mobile, as well. Apple has added its Touch ID fingerprint sensor to the latest series of MacBooks, and companies like Samsung and LG have started experimenting with retinal scanners and facial recognition tools that would allow a user to login just by looking at the camera on their device.

These options, along with tools like USB tokens that act as physical authentication keys, are far more secure options than the standard password. Happy World Password Day—here’s hoping it’s one of the last.

How To Create A Secure Password

Since passwords are still a necessity for now, it’s important to make sure yours are as secure as possible.

Security experts advise users to create passwords that include a combination of words, numbers, symbols and upper- and lower-case letters. That should act as the basic template for any password.

Personally identifiable information like birth date or phone number, or even names or relatives or pets, should be avoided. While it may seem like information that would only be relevant to you, much of it is available online—often shared willingly by you. If you’re the target of an attack, suddenly the photo of your dog with its name in the caption leaves you vulnerable.

It’s also suggested that you avoid using standard words that can be found in the dictionary. This seems like an odd restriction, but brute-force password-cracking tools often use dictionary listings to attempt guesses at as many words as possible. Throwing a number or punctuation in the middle of the word can help combat this.

Also, using a phrase or a sentence instead of a single word will make it more difficult for a dictionary attack to work.

It’s also important to remember that common keyboard combinations will do you no good. While using QWERTY12345 might technically meet the requirements of using letters and numbers and doesn’t take much for you to remember, they are also extremely easy to guess.

And most importantly, do not use any password more than once. Reusing passwords guarantees that one breach may compromise multiple accounts. You need to create a unique secure password each and every time you create an account.