For years, the standard advice on passwords was simple: make them complex, change them frequently, and never reuse them. It turns out that at least part of that guidance was counterproductive. Research from cybersecurity institutions including the National Institute of Standards and Technology has fundamentally revised the conventional wisdom on password policy—and many businesses are still operating on outdated rules that make their employees less secure, not more. Understanding what actually works is the first step toward fixing it.
When employees are required to create passwords with uppercase letters, numbers, symbols, and minimum lengths, and then change them every 60 or 90 days, the predictable human response is to game the system. Passwords become slight variations on a theme: Summer2024! becomes Fall2024!, then Winter2025!. The format satisfies the policy requirement while providing almost no additional security over a simpler, more memorable password that never changes.
Frequent mandatory rotation also trains employees to write passwords down, store them in unsecured notes, or reuse variations across accounts—all of which create far greater risk than the policy was designed to prevent. The complexity requirement produces passwords that are hard for humans to remember and easy for automated tools to crack, which is precisely the opposite of the intended outcome.
Current guidance from security researchers and standards bodies has shifted significantly. The emphasis has moved from complexity and rotation to length and uniqueness. A long passphrase—a random string of four or more common words—is both more memorable and more resistant to brute-force attack than a short, symbol-laden password. Mandatory rotation is no longer recommended unless there is evidence of compromise. The focus belongs on uniqueness: every account should have a distinct credential so that one breach does not cascade into many.
This is where password managers become essential rather than optional. The reason employees reuse passwords is that human memory cannot reliably maintain dozens of unique, strong credentials. A password manager solves this problem entirely, generating and storing unique credentials for every account while requiring the employee to remember only one strong master password. It is one of the highest-return security investments a business can make, and the per-user cost is minimal.
Credential reuse is one of the most exploited vulnerabilities in modern cybersecurity. When a data breach exposes usernames and passwords from one service—a news site, an e-commerce platform, a gaming account—attackers systematically test those credentials against business applications, email accounts, and financial systems. This technique, called credential stuffing, is automated and operates at scale. If an employee's personal account credentials match their work account credentials, the breach of the personal account becomes a breach of your business.
Password managers, combined with MFA, form the most practical defense against credential stuffing. Unique passwords mean a breach elsewhere cannot be leveraged against your systems. MFA means that even a correct password is insufficient without the second factor.
Updating a password policy requires more than changing the rules—it requires the tools and training to support new behaviors:
Password policy is one of the areas where good intentions and outdated guidance have combined to make organizations less secure than they could be. Revisiting these policies in light of current research—and pairing updated rules with the tools that make them achievable—closes a gap that attackers exploit daily. The goal is not compliance theater; it is credentials that are genuinely difficult to compromise and genuinely manageable for the people who use them.