← Blog

Everything you were taught about passwords is changing — here's what matters now

Tenant Strike4 min read

Forced 90-day resets and complexity rules felt rigorous. Modern guidance says they actually make things worse. Here is what security experts recommend instead.

For years, good password hygiene meant: at least eight characters, a capital letter, a number, a symbol, and a reset every 90 days. A lot of businesses still enforce exactly that. It felt thorough.

It turns out most of that advice was wrong — or at least backwards. Security guidance from the U.S. National Institute of Standards and Technology (NIST) and others has moved on, and it's worth knowing what actually matters now.

The problem with forced rotation

The idea behind a 90-day reset sounds reasonable: even if a password gets stolen, it expires before too much damage is done. In practice, humans don't work that way.

When people are forced to change passwords regularly, they make small, predictable changes. Spring2024! becomes Summer2024! becomes Fall2024!. The pattern is obvious and easy to guess. The rule designed to improve security produces passwords that are weaker and more predictable than what came before.

Modern guidance — including NIST's current recommendations — says forced rotation should be dropped unless there's evidence a specific password has been compromised. Change passwords when something goes wrong, not on a calendar.

The problem with complexity requirements

Short but "complex" passwords have a similar issue. P@ssw0rd! checks the box — capital, lowercase, number, symbol — but it's one of the most common passwords on breach lists. Attackers know every substitution trick.

Length beats complexity. A passphrase — a few real words strung together, like correct-horse-battery-staple — is much harder to crack than a short string of characters that follows a guessable pattern. A 16-character passphrase is exponentially harder to brute-force than an 8-character "complex" password, even if the passphrase uses only lowercase letters.

Aim for length. Let complexity be a bonus, not the point.

The real killer: reuse

Neither of the above matters as much as this: reusing the same password — or small variations of it — across multiple sites.

Here's why it's so dangerous. Large websites get breached constantly. When they do, the stolen passwords end up for sale. Attackers take those lists and automatically try every credential against every major service. If your work email password is the same as the one you used on a shopping site that had a breach three years ago, your work account is already at risk.

This is called credential stuffing, and it's one of the most common ways accounts get compromised. The fix is simple in principle and genuinely annoying in practice: every account needs a unique password.

The practical answer: a password manager

No one can remember a unique 16-character password for every account they have. That's not a personal failing — it's arithmetic. A password manager stores all of them securely and fills them in automatically. You remember one strong master password; the app generates and stores everything else.

Options like 1Password, Bitwarden, and others work across phones and computers, and several have business plans that make it easy to share credentials within a team without emailing passwords around.

For a small business, getting the team onto a password manager is one of the higher-leverage things you can do. It solves the reuse problem for everyone, not just the people who were already being careful.

Pair it with MFA

A password manager handles the "something you know" part of logging in. Multi-factor authentication (MFA) — the code-or-app prompt after a password — adds "something you have." Together, they handle the two most common ways accounts get taken over: stolen/reused passwords and credential stuffing.

Set up a password manager. Require MFA. Those two things address the majority of the risk for most small businesses.

Where things are heading: passkeys

Passkeys are worth knowing about even if you're not ready to use them yet. They replace the password entirely — instead of a secret string you type, your device uses a cryptographic key that never leaves it. You authenticate with a fingerprint or face ID, and the website gets proof without ever seeing a password.

Microsoft 365 already supports passkeys for sign-in. They're still rolling out, and not every service supports them yet, but they're the clearest direction of travel in authentication.

For now, password manager plus MFA is the practical target. Passkeys are the natural upgrade from there.

Tenant Strike connects to your Microsoft 365 in read-only mode and checks identity settings — including whether MFA is required across all accounts and whether older sign-in paths that skip it are still open. A five-minute scan to see what your setup actually looks like, not what you assume it looks like.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.