Passwords are still one of the most common ways systems are accessed, and one of the most common ways they’re compromised. The issue isn’t usually awareness, it’s habit, more specifically, the habits that well-intentioned rules have encouraged. Complex character requirements and frequent resets often lead to predictable patterns and passwords that look strong but aren’t.
Guidance from the National Cyber Security Centre and National Institute of Standards and Technology has shifted accordingly. The emphasis is now on passwords that are strong, usable, and resilient to real-world attacks. At the same time, the tools available to attackers have improved – AI-assisted credential attacks can test patterns faster and at greater scale than ever before, which makes the quality of credentials matter more, not less.
Use longer passwords, not more complicated ones
Length is far more effective than complexity alone. Short passwords with forced complexity tend to follow predictable patterns like Password123! or slight variations of the same word.
A better approach is to use a passphrase made up of several unrelated words.
For example:
river-planet-hammer-coffee
This is easier to remember, but significantly harder to crack due to its length and unpredictability.
Avoid predictable or personal choices
Even long passwords can be weak if they’re based on common or personal information. Attackers use known password lists, breached data, and publicly available information to make educated guesses.
Avoid common passwords and their variations, names, birthdays, familiar references, and patterns based on organisation names, systems, or roles. Once exposed, these passwords are quickly reused in automated attacks.
Don’t reuse passwords across systems
Password reuse remains one of the biggest risks. If the same password is used across multiple services, a single breach can lead to wider access. Each account should have a unique password — a compromise in one place should stay contained to that place.
Use a password manager
Remembering multiple strong, unique passwords isn’t realistic in practice. Password managers generate and store them securely, removing the pressure to reuse passwords or record them somewhere less safe. They store credentials in an encrypted vault and are widely recommended by both the NCSC and NIST. They also make adopting longer passphrases straightforward, without adding burden on users.
Avoid unnecessary password changes
Frequent expiry e.g., every 30 or 90 days, can produce predictable behaviour. Small variations on the same password, incremental suffixes, familiar patterns with a number bumped up by one.
Current guidance recommends changing passwords when there is evidence of compromise, rather than on a fixed schedule. This produces stronger, more stable credentials over time.
Add another layer with multi-factor authentication
Even strong passwords have limits. Multi-factor authentication adds a second layer by requiring something beyond the password, and significantly reduces the risk of unauthorised access even if a password is exposed.
Not all MFA is equal. SMS-based codes are better than nothing, but they’re vulnerable to SIM-swapping attacks where an attacker redirects your number to a device they control. Authenticator apps are more resilient. Hardware security keys, physical devices that confirm identity, are stronger still. Where the choice exists, the method matters as much as whether MFA is enabled at all.
MFA should be enabled wherever possible, particularly for email and collaboration platforms, remote access to systems, and privileged or administrative accounts.
Monitor for credential exposure
Passwords can be compromised without any obvious sign. Breach data from third-party services regularly surfaces on the open and dark web, sometimes years after the original incident.
Actively monitoring whether your credentials have appeared in known breach data is a practical step that many people overlook. Various tools and services exist to do this, and some password managers include this functionality as standard. The principle is straightforward: treat breach exposure as something to monitor proactively, not just discover after the damage is done.
The shift to passkeys
Passwords have served as the default authentication method for decades, but the direction of travel is changing. Passkeys replace the traditional password with a cryptographic credential tied to a device and confirmed through biometrics or a PIN. They’re phishing-resistant by design, can’t be reused across services, and don’t rely on a shared secret that can be stolen or leaked.
Major platforms including Google, Apple, Microsoft, and GitHub already support passkeys, and both NCSC and NIST are pointing towards passwordless authentication as the more durable long-term answer. Adoption is growing but uneven and not every service supports them yet.
Where passkeys are available, they should be the first choice. For everything else, the guidance above applies.
What actually matters in practice
The consistent thread across modern guidance is that security needs to work in real-world conditions. Overly complex rules create workarounds. Clear, usable approaches produce better outcomes. Not because they’re easier, but because people actually follow them.
In practice, that comes down to a small number of consistent behaviours, using longer passwords or passphrases, avoiding reuse across accounts, using a password manager, enabling multi-factor authentication with stronger methods where possible, monitoring for credential exposure, and using passkeys where they’re supported.
Applied consistently, these steps provide a strong foundation for secure access and a more honest reflection of where good security practice actually stands today.
Further reading:
- NCSC – password advice and guidance: https://www.ncsc.gov.uk/section/advice-guidance/all-topics/passwords
- NIST – How do I create a good password: https://www.nist.gov/cybersecurity/how-do-i-create-good-password
