Password Security in 2026: What Works Now

Remember when we told everyone to use complex passwords and change them every 90 days?

That advice created terrible outcomes. People used “Password123!” and just changed it to “Password124!” every quarter. They wrote passwords on sticky notes. They reused the same password everywhere.

Password advice has evolved. Here’s what actually works now.

The Current Best Practice

The ACSC, NIST, and most security frameworks now recommend:

Long passphrases over complex passwords: “correct horse battery staple” is better than “P@$$w0rd!”

No mandatory rotation: Unless there’s a compromise, don’t force regular changes.

Unique passwords everywhere: Every account gets a different password.

Password manager essential: Humans can’t remember unique passwords for dozens of accounts.

MFA on everything: Passwords alone aren’t enough.

This is what works. Let me explain why.

Why Length Beats Complexity

A password like “P@$$w0rd!” looks secure. It has uppercase, lowercase, numbers, symbols.

It’s actually terrible:

  • Common substitution patterns
  • Easy for attackers to guess
  • Hard for humans to remember
  • Leads to minimal variations

A passphrase like “purple-elephant-library-coffee” is:

  • Much longer (more combinations to try)
  • Easier to remember
  • Harder to crack
  • Easier to type

The math:

A 12-character complex password has roughly 80^12 combinations. A 25-character passphrase from 10,000 common words has 10,000^4 combinations.

The passphrase wins, and it’s easier to use.

Why Mandatory Rotation Failed

The theory: If passwords are changed regularly, stolen credentials have limited value.

The reality: People make minimal changes. “Summer2025!” becomes “Autumn2025!”. Attackers adapted. The security benefit was minimal.

What happened:

  • Increased password reset support costs
  • More passwords written down
  • User frustration
  • Marginal security improvement

The new approach: Change passwords when there’s a reason (suspected compromise, person leaving, etc.). Not on arbitrary schedules.

Password Managers: Non-Negotiable

Unique passwords for every account is only possible with a password manager.

For individuals:

  • 1Password
  • Bitwarden
  • Dashlane
  • Apple Passwords (built into iOS/macOS)

For business:

  • 1Password Business
  • Bitwarden Business
  • Keeper
  • LastPass Enterprise (though they’ve had issues)

What password managers provide:

  • Generate strong random passwords
  • Store passwords securely
  • Auto-fill credentials
  • Sync across devices
  • Secure sharing for teams

Implementation tips:

  1. Choose a solution (1Password and Bitwarden are both solid)
  2. Mandate its use for work accounts
  3. Train people how to use it
  4. Allow personal use too (improves adoption)
  5. Set up shared vaults for team credentials

MFA: The Essential Layer

Even with perfect passwords, credentials get stolen. Phishing. Keyloggers. Data breaches. Password spraying.

MFA provides the essential backup.

MFA options (ordered by strength):

Phishing-resistant (best):

  • FIDO2/passkeys
  • Hardware security keys (YubiKey)

App-based (good):

  • Authenticator apps (Microsoft Authenticator, Google Authenticator)
  • Push notifications

SMS-based (acceptable):

  • Text message codes
  • (Better than nothing, but vulnerable to SIM swapping)

For SMBs:

Authenticator apps are the practical choice for most accounts. Hardware keys for high-privilege users (admins, executives, finance).

Passkeys: The Future Is Here

Passkeys are passwordless authentication using cryptographic keys.

How they work:

Instead of a password, your device holds a cryptographic key. Authentication happens without transmitting a password that could be stolen.

Benefits:

  • Nothing to phish (no password to steal)
  • Nothing to remember
  • Built into devices (phone, laptop)
  • Stronger than passwords + MFA

Current state:

Microsoft, Google, and Apple all support passkeys. Major websites are adopting them. It’s not universal yet, but it’s coming.

For SMBs:

Enable passkey support where available. Encourage adoption for high-risk accounts. Watch the ecosystem mature.

The Credential Stuffing Problem

Attackers collect username/password combinations from breaches. They try them on other services.

If someone uses the same password for LinkedIn (breached) and their work email, attackers get in.

The solution:

Unique passwords everywhere. A password manager makes this practical.

Check exposure:

  • Have I Been Pwned (haveibeenpwned.com) shows if credentials appeared in breaches
  • Some password managers integrate breach checking
  • Consider monitoring for exposed credentials

Password Policies for SMBs

Recommended policy:

Length: Minimum 14 characters (or 4+ word passphrase)

Complexity: Not required (length matters more)

Rotation: Not required unless compromised

Reuse: Prohibited (password manager required)

MFA: Required on all work accounts

Password manager: Mandated for business use

Passkeys: Encouraged where available

Shared Credentials

Some accounts can’t have individual logins. Social media accounts. Legacy systems. Vendor portals.

Managing shared credentials:

  • Store in password manager shared vault
  • Limit access to those who need it
  • Audit access regularly
  • Change when people leave the team
  • Document who has access

Avoid:

  • Sharing via email or chat
  • Storing in spreadsheets
  • Unchanged passwords for years
  • Everyone knowing all shared passwords

Local Admin Passwords

Every workstation has a local admin account. If they all have the same password, one compromised machine compromises all.

Solution: LAPS (Local Administrator Password Solution)

Microsoft’s free tool that:

  • Generates unique passwords per machine
  • Rotates automatically
  • Stores centrally and securely
  • Provides access when needed

If you’re in a Windows environment and not using LAPS, implement it. It’s free and essential.

Service Account Passwords

Service accounts (used by applications, not people) have special considerations:

Risks:

  • Often have elevated privileges
  • Rarely changed
  • Stored in configuration files
  • Hard to track usage

Best practices:

  • Unique, strong passwords (generated, not chosen)
  • Store securely (vault, not code)
  • Change when staff with knowledge leave
  • Monitor for unusual activity
  • Consider managed service accounts where possible

Training and Awareness

Technical controls matter, but so does user behaviour.

Key messages:

  1. Use the password manager for everything
  2. Don’t share passwords via email or chat
  3. Report suspected compromises immediately
  4. Accept MFA prompts only for your own logins
  5. Watch for unusual login alerts

Make it easy:

If using good practices is harder than bad practices, people will choose bad practices. Make the secure path the easy path.

Working with IT Providers

If you use managed services, password and authentication management should be discussed.

Questions to ask:

  • How are admin credentials managed?
  • What MFA is required for accessing our systems?
  • How are shared credentials handled?
  • What happens when your staff leave?
  • Is LAPS implemented on our workstations?

Your provider’s credential practices affect your security.

Incident Response for Compromised Credentials

When credentials are (or might be) compromised:

Immediate:

  • Reset the password
  • Review recent activity on the account
  • Enable MFA if not already present
  • Check for persistence (backdoor accounts, forwarding rules)

Investigation:

  • How was the credential compromised?
  • What did the attacker access?
  • Are other accounts at risk?

Improvement:

  • Address the root cause
  • Update controls if needed
  • Train if human factors were involved

Getting Help

Password and authentication security is foundational. AI consultants Melbourne and similar specialists can help:

  • Assess current authentication practices
  • Implement password managers and MFA
  • Deploy LAPS and privileged access management
  • Establish policies and training

The investment in getting authentication right pays off in reduced incidents and better security posture.

Quick Wins

This week:

  • Enable MFA on any accounts without it
  • Deploy a password manager if you don’t have one
  • Turn off mandatory password rotation

This month:

  • Implement LAPS if using Windows
  • Review admin and shared credentials
  • Update password policy to current best practices

This quarter:

  • Train staff on password manager use
  • Audit MFA coverage
  • Explore passkey adoption

Final Thought

Password security has evolved. The old rules created more problems than they solved.

The new approach: long passphrases, password managers, MFA everywhere, passkeys where available.

Working with specialists like Team400 can help implement these practices properly. But the fundamentals are straightforward: make good password practices easy, make MFA mandatory, and plan for a passwordless future.

The businesses that get this right close off one of the most common attack vectors. That’s worth the effort.