As our lives and businesses become increasingly digital, the number of passwords we need to manage grows exponentially. From logging into your email to accessing cloud services, banking platforms, and internal systems, passwords are everywhere. And with the rise in cyber threats, the pressure to make those passwords “stronger” has never been greater.
But here’s the twist: the traditional approach to password strength might actually be making things worse.
The Problem with “Strong” Passwords
Historically, businesses have enforced password policies that demand:
- Long passwords
- Regular password changes
- Inclusion of symbols, numbers, uppercase and lowercase letters
- Restrictions on reusing any of your last 20 passwords
Sounds secure, right? Not quite.
What happens in reality is that users start writing passwords down, or they fall into predictable patterns:
- Replacing o with 0, i with 1, s with 5
- Adding an exclamation mark at the end
- Incrementing a number each time the password expires
Cyber attackers know this. Their systems are designed to exploit these predictable behaviours.
What the Experts Say
According to the National Cyber Security Centre (NCSC), complexity requirements and regular password expiry are no longer recommended. Here’s why:
“Using complexity requirements… is a poor defence against guessing attacks. It places an extra burden on users… Attackers are familiar with these strategies and use this knowledge to optimise their attacks.”
— NCSC Password Guidance
Instead, the NCSC recommends:
- No complexity requirements
- No regular password expiry
- Greater minimum password length
- Encouraging passphrases or the ‘three random words’ technique
A Better Way Forward
At The Virtual IT Director, we recommend configuring your internal password policy to:
- Require passwords longer than 14 characters
- Turn off password expiration
- Not require symbols, numbers, or mixed case
Instead, encourage your team to use:
- Passphrases (e.g., ‘I hide snacks from my kids‘ OR ‘IOnceLosttoaSquirrel‘)
- Or the Three Random Words method (e.g., apple river jacket)
This approach:
- Strengthens your cyber security
- Makes life easier for your team — easier to remember, easier to type, harder to guess and yes, spaces are allowed in most cases.
Still Not a Fan of Long Passwords?
If you’re logging into the same computer every day, there’s good news: Windows Hello is your friend.
Windows Hello lets you log in using:
- A PIN number, let’s say 6 digits
- Fingerprint (if supported by your device)
- Facial recognition (if supported by your device)
Not only is this easier, but it’s also more secure. Your PIN:
- Only works on your device
- Can’t be used elsewhere on the network
- Adds an extra layer of protection
Need Help Thinking of a Passphrase?
We’ve got you covered. On our website, we offer a completely free, no-ads, no-strings password generator to help you come up with secure, memorable passwords using the three random words technique.
Let’s make life simpler. Keep cybercriminals out. And stop making passwords harder than they need to be.
Note:
We want to be clear: we’re not disregarding the enormous benefits of Multi-Factor Authentication (MFA), hardware security keys, or passwordless login methods. These are all powerful tools in the fight against cyber threats and absolutely deserve their own spotlight.
But in this article, we’ve chosen to focus solely on passwords — because they’re still a fundamental part of our digital lives, and they deserve some attention too.
Passwords need love too!
