Passwords remain the most common authentication mechanism on the internet — and also one of the most abused. Despite decades of security awareness training, breaches continue to occur because of weak, reused, or exposed credentials.
After more than two decades working across helpdesk, systems administration, networking, and now cybersecurity, I can confidently say this: password security problems are rarely caused by a lack of rules — they’re caused by human behaviour colliding with bad policy.
Users complain about:
- Too many passwords
- Passwords expiring too often
- Complexity requirements that feel arbitrary
Ironically, these same users often reuse passwords, increment numbers at the end, or write credentials down — behaviours that directly undermine security.
This article cuts through outdated advice and explains what actually works, why many traditional password policies fail, and how IT professionals should be thinking about password security today.
Why Passwords Still Matter (Even in a Zero Trust World)
Yes, we have:
- Multi-Factor Authentication (MFA)
- Biometrics
- Conditional access
- Passwordless authentication
But in reality:
- Passwords still back most authentication systems
- Service accounts, APIs, legacy systems still rely on them
- A compromised password is often the first step in a larger attack chain
Credential theft remains one of the top initial access techniques used in ransomware and business email compromise (BEC) attacks.
The Real Threat Model: How Passwords Get Compromised
Most accounts aren’t “hacked” in the Hollywood sense. They’re compromised through:
- Credential stuffing (reused passwords from breaches)
- Phishing attacks
- Malware harvesting browser-stored credentials
- Brute force against weak passwords
- Passwords shared or emailed internally
If an attacker has:
- Your username (usually an email address)
- A reused or weak password
They can automate attacks across hundreds of services in minutes.
Why Traditional Password Policies Often Backfire
For years, IT enforced rules like:
- Change password every 30–90 days
- Must contain upper, lower, number, symbol
- Cannot reuse previous passwords
What happened?
- Users added “1”, then “2”, then “3”
- Passwords were written on sticky notes
- Variations were predictable
- Security posture worsened
Modern Guidance (NIST SP 800-63B)
- Current standards recommend:
- MFA wherever possible
- Longer passwords over complex ones
- No forced rotation unless compromised
- Blocking known breached passwords
- Encouraging passphrases
Password security is one of the critical problems in cyber security today. Many people are relaxed and would rather set an easy to remember password then to protect their valuable information and money. All a hacker needs is your user ID (say, e.g. [email protected]) and in a matter of minutes can be invading your bank account or employee email account. You can go to a site https://howsecureismypassword.net to find out how long a hacker will take to hack your account. You will be surprised at the results. In the Below example I have used a pets name and some numbers.
Rexy123!
Here are some password security tips on what you should and should not do regarding passwords.
Tips for creating a secure and strong password
What Actually Makes a Strong Password Today
1. Length Beats Complexity (Every Time)
A long password exponentially increases cracking time.
Better:
CorrectHorseBatteryStaple!
Worse:
R3xY!23
Length matters more than symbols sprinkled into short passwords.
2. Passphrases Are the Gold Standard
Passphrases:
- Are easier to remember
- Are harder to crack
- Reduce helpdesk calls
Example:
MyDogSleepsUnderTheDeskAtNight!
From experience, users who adopt passphrases:
- Reset passwords less
- Reuse them less
- Resist phishing better
3. Avoid Personal or Predictable Information
Never base passwords on:
- Pet names
- Children’s names
- Birthdays
- Towns or street names
- Favourite sports teams
Attackers scrape social media first. If it’s public, it’s compromised.
4. Never Reuse Passwords (This Is Non-Negotiable)
Password reuse is the single biggest risk factor I see in breaches.
One leaked password can unlock:
- Banking
- Cloud admin portals
- VPN access
If you reuse passwords, you are assuming every service you use is perfectly secure — history shows that isn’t true.
Password Managers: From “Nice to Have” to Mandatory
In modern environments, password managers are essential, not optional.
They allow users to:
- Generate unique passwords
- Store credentials securely
- Avoid reuse
- Reduce cognitive load
Enterprise-Friendly Options
- Microsoft Edge / Entra ID password vault
- Bitwarden (excellent enterprise controls)
- 1Password Business
- LastPass (with caution and strong governance)
IT Opinion
If your organisation bans password managers, it is forcing insecure behaviour, whether intentionally or not.
Why “Just Change Your Password” Is No Longer Enough
When credentials are compromised:
- Attackers often already have persistence
- Tokens may still be valid
- Mailbox rules may exist
- OAuth app consents may remain
Password changes must be accompanied by:
- Session revocation
- Token invalidation
- Audit of mailbox rules
- Review of sign-in logs
This is where security maturity separates organisations.
The Role of Multi-Factor Authentication (MFA)
MFA doesn’t replace good passwords — it compensates for their failure.
From real-world incident response:
- MFA stops ~99% of automated credential attacks
- Even weak passwords become significantly less dangerous
- Phishing-resistant MFA (FIDO2) is the future
Best Practice
- Enforce MFA everywhere possible
- Prioritise admin accounts
- Use conditional access to reduce user friction
Passwords You Should Never Email or Share
No matter how urgent:
- Never send passwords via email
- Never send them via chat
- Never share admin credentials
If access is required:
- Use role-based access
- Use Just-In-Time access
- Reset credentials after use
Shared passwords destroy accountability and auditability.
Teaching Users Without Shaming Them
One of the biggest mistakes IT makes is talking down to users.
Instead:
- Explain why rules exist
- Show real breach examples
- Promote tools that make life easier
- Reward good behaviour
Security works best when it’s enabled, not enforced through pain.
A Practical Password Checklist for IT Teams
- Enforce minimum length (14+ characters)
- Allow passphrases
- Block breached passwords
- Remove forced rotation unless compromised
- Mandate MFA
- Support password managers
- Monitor for risky sign-ins
- Educate continuously
Final Thoughts: Password Security Is a Human Problem
Password security isn’t just a technical challenge — it’s a human one.
The best systems:
- Assume users are busy
- Reduce friction
- Remove unnecessary rules
- Provide guardrails instead of punishment
If your users are constantly fighting your security controls, your controls are failing.
Strong passwords, combined with MFA and modern identity controls, remain one of the most effective — and cheapest — security investments you can make.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.