Security

Password Best Practices

Why password complexity rules alone don't work, how to use a password manager, and what to do if your credentials show up in a breach.

Password Best Practices

Password advice from 2010 doesn’t work in 2025. Requiring “8 characters with a capital letter and a number” produces passwords like Password1! — which is terrible — while making people miserable. Here’s what actually works.

The problem with complexity rules

Humans are bad at random. When told to make a complex password, most people capitalize the first letter, put the number at the end, and add an exclamation point. Attackers know this. Password-cracking tools are built around human patterns.

The bigger issue is reuse. Most people use the same password — or minor variations of it — across multiple accounts. When one site gets breached (and sites get breached constantly), those credentials get sold and tested against everything else.

What actually works

Unique passwords for every account. This is the most important thing. If your email password is different from your banking password is different from your work login, a breach at one site doesn’t cascade.

Long passphrases over complex short passwords. correct-horse-battery-staple is longer, more memorable, and harder to crack than P@ssw0rd!. Length matters more than complexity.

A password manager. The only way to have unique, strong passwords for every account without memorizing them. Good options: Bitwarden (free, open source), 1Password (paid). Your browser’s built-in password manager is better than nothing but weaker than a dedicated tool.

Multi-factor authentication everywhere it’s available. Even if someone gets your password, MFA stops them. Use an authenticator app (Microsoft Authenticator, Google Authenticator) over SMS when possible — SMS can be intercepted.

For business accounts

Work email is a high-value target. Microsoft 365 accounts get attacked constantly — credential stuffing, password spraying, phishing. Protect them accordingly:

  • Unique strong password, not shared with anything else
  • MFA required (Conditional Access policy, not optional)
  • Register recovery options on your real email and phone, not a shared mailbox

Admin accounts — IT admins, M365 global admins — need extra protection: dedicated admin accounts separate from daily-use accounts, and never used for email or web browsing.

If your credentials show up in a breach

Check haveibeenpwned.com — a free, legitimate service that tells you if your email appeared in a known data breach.

If it has:

  1. Change the password for the breached site immediately
  2. Change the same password anywhere else you used it
  3. Enable MFA if it wasn’t already on
  4. Watch for suspicious activity on related accounts

Password rotation policy

Mandatory regular password changes (every 90 days, etc.) are no longer recommended by NIST or Microsoft. They cause people to increment passwords (Summer2024!Fall2024!) and reduce security. Change passwords when there’s a reason: breach, suspected compromise, employee offboarding. Not on a calendar schedule.

Need help deploying a password manager or MFA policy across your organization? Contact RockIT.

Have a specific question about your setup?

Guides cover the general case. A free 30-minute review covers yours.

Schedule a Free IT Review