Picture this: You’re about to log off and shake off the workday when PING! Yet another mandatory password change pops up on your work computer. You put in what you are sure is a new password and your computer replies, “Pick a password you have not used before.”

Instinctively, you might wonder, “Are these cybersecurity policies even worth it? Sisyphus had it easier than this.” 

The endless battle of navigating password rules is meant to protect us, but it often causes headaches. It’s essential to strike the balance between security and ease of use, or you run the risk of either frustrating your users or leaving your systems open to cybercriminals.

Cybersecurity teams shoulder the complex (and often thankless) task of safeguarding our sensitive systems, and while their controls may sometimes seem excessive, they are designed to maximize safety with the least amount of friction. 

That said, outdated security practices, like certain password policies, can create more problems than they solve. Reversing such controls is challenging, even when they are proven to be counterproductive, which is why evolving these standards is so important.

Password challenges: A history 

Passwords have been the cornerstone of digital security for decades, but their journey hasn’t been without flaws. They were once considered a simple yet effective way to restrict access. However, as technology advanced, so did the sophistication of cyberattacks. Password limitations became glaringly obvious when hackers began exploiting predictable patterns, weak encryption methods and poor user habits.

Early systems relied on short, easy-to-remember passwords, but the increase of breaches forced passwords to evolve into long-winded monstrosities. Users were required to add symbols, numbers and mixed-case letters to their passwords. Ironically, it only led to more predictable behaviors, such as replacing letters with similar-looking numbers or symbols (“O” with “0” or “A” with “@”). Hackers quickly adapted, leveraging algorithms to crack these patterns in seconds.

Then came the age of periodic password changes as another attempt to strengthen security. While the idea seemed sound, humans, it turns out, hate being forced to remember multiple, frequently changing passwords. Users often resorted to minor variations of the same password — a habit that attackers exploited. 

These historical challenges prove the need for smarter, more adaptive security measures.

Real-world examples of password failures

High-profile breaches serve as stark reminders of the risks associated with outdated password practices. 

For instance, in January 2025, edtech giant Powerschool, whose software supports more than 50 million students across the United States, reported a data breach where hackers stole almost all historical student and teacher data. A full password reset to restrict access control was one of the first motions to take charge of districts across the country. 

The 2024 Obamacare data breach exposed over 10 billion passwords posted on a hacking forum. Many of those were said to be reused by users, opening a larger window for threat actors to compromise credentials. 

But it is not just the big-name organizations that are suffering. The Center for Internet Security’s 2022 Nationwide Cybersecurity Review reported a 313% increase in endpoint security service incidents among the 3,600 local government agencies surveyed.

Clearly, modernizing password practices is critical for organizations of all sizes.

The age of periodic password changes is over

“Time to change your password!”

You’re not alone if this notification makes you want to throw things. Periodic password changes stemmed from a time when there were fewer tools to detect and mitigate breaches. Back then, changing passwords regularly helped limit the damage of compromised accounts.

Today, we have advanced monitoring systems and intrusion detection tools that basically render this practice obsolete. But it’s often easier to stick with the devil you know, so many organizations still cling to this outdated practice despite its drawbacks. 

Human behavior compounds the issue: we are not wired for randomness, and our memory limitations lead to predictable patterns, such as incrementing numbers or recycling familiar passwords. Hackers are well aware of these habits, making such approaches ineffective.

The shift toward smarter standards

So, if passwords are passé, how are you supposed to protect your organization?

The National Institute of Standards and Technology (NIST) publishes excellent cybersecurity standards and best practices for industry, government and the public. These standards provide a great framework for cybersecurity strategy and can be adopted unchanged or adapted for local controls at some point. So, NIST, among other groups, can help you get ahead of the curve in securing your business. 

NIST has recently provided updated password guidelines (SP800-63B) as part of its broader Digital Identity Guidelines. These recommendations distill years of lessons learned into actionable strategies for stronger security without unnecessary complexity.

Key changes include:

• Eliminating periodic password changes: If your initial password is strong and secure, you can say goodbye to those dreaded reminders.
• Encouraging passphrases: Instead of single words with substitutions like “P@ssw0rd,” opt for memorable, meaningful phrases — avoiding common quotes, lyrics or cliches.
• Promoting password managers: Password manager tools can generate and securely store complex, unique passwords for every account.

These updates acknowledge that complexity for its own sake doesn’t equal security. By focusing on stronger, more user-friendly solutions, organizations can enhance protection while reducing frustration.

Beyond passwords: The role of multi-factor authentication

Strengthening passwords is just one piece of the puzzle. 

Multi-factor authentication (MFA) provides an additional layer of defense, making it significantly harder for attackers to gain access. It requires users to verify their identity using two or more factors: something they know (like a password), something they have (like a smartphone) or something they are (like a fingerprint).

Technologies like Microsoft’s Windows Hello and Apple’s Face ID illustrate how biometrics and other factors combine convenience with security. App-based authenticators are also widely used and offer a higher level of protection compared to interceptable SMS-based codes. These methods ensure that even if a password is compromised, unauthorized access can still be prevented.

Implementing MFA does more than secure accounts — it helps build user confidence. After all, isn’t it more reassuring, whether you are an employee or a customer, to know your data is protected by multiple layers of security? Especially since this can translate into reduced breach-related costs and stronger trust in your brand?

Passwords are not disappearing overnight, but their role is shifting. By storing them securely in a password manager and pairing them with robust MFA solutions, we can mitigate risks and make authentication seamless.

A smarter approach to identity protection

Secure identity management isn’t just about compliance — it’s about empowering better, safer experiences for everyone. By embracing smarter password practices and innovative authentication methods, organizations can protect what matters most without compromising usability.