Modern Password Security: Why Everything You Were Taught Is Wrong // Chris Worth

I spent years following password rules that made security worse. Change passwords every 90 days, use uppercase, lowercase, numbers, and symbols, never reuse passwords. I created “Spring2025!”, “Summer2025!”, “Fall2025!” and felt secure.

Then I checked those “secure” passwords against breach databases. Every single one appeared in credential dumps available to anyone willing to look. The rules designed to protect me were training me to be predictable.

Traditional Password Rules Create Weak Passwords

The password rules everyone follows:

Minimum 8 characters
Uppercase + lowercase + number + symbol
Change every 60-90 days
Don’t reuse passwords

Sound familiar? These rules produce predictable patterns:

Capital letter first (human nature)
Numbers at the end (easiest place to increment)
Common substitutions (@ for a, 0 for o, 3 for e)
Seasonal or incremental changes (Spring2025 → Summer2025 → Fall2025)

Attackers know these patterns. Dictionary attacks include them. Brute force tools prioritize them.

When I audited my own passwords against Have I Been Pwned, passwords I thought were strong—“P@ssw0rd!”, “Welcome123!”, “Summer2024!"—all appeared in breach databases. Millions of other people followed the same rules and created the same passwords.

What Actually Works

Length Beats Complexity

Compare these passwords:

“P@ssw0rd1”

10 characters
Meets all complexity requirements
Appears in every breach database
Crackable in hours

“my first car was a blue honda civic”

37 characters
No special characters
Easy to remember
Would take billions of years to crack

The difference isn’t close. Every additional character makes brute force exponentially harder. A 20+ character passphrase beats any 8-character complex password, even if it’s just regular words.

Check Passwords Against Breach Databases

Over 12 billion credentials have been exposed in data breaches. Your password might already be compromised without you knowing.

Check your passwords:

Visit Have I Been Pwned
Enter your email address
See which breaches exposed your data
Change passwords on those accounts immediately

The site uses k-anonymity—it doesn’t send your actual password, only the first 5 characters of its hash. Your password stays private while checking if it’s compromised.

When I first checked, I found my email in 8 breaches. Accounts I’d forgotten about had exposed credentials years ago. I was still using variations of those passwords everywhere.

Stop Changing Passwords on a Schedule

Forced password rotation every 90 days seems logical. In practice:

Users make minimal changes (Password1 → Password2)
People write passwords down to remember them
Password strength decreases with each rotation
Everyone does it on the same schedule (end of quarter)

Better approach: Change passwords when they’re actually compromised:

Appears in a new breach database
Suspicious account activity
You typed it on an untrusted device
Service announces a data breach

I stopped rotating passwords on a schedule. Instead, I:

Set up breach monitoring alerts
Use unique passwords per site (password manager)
Change immediately when there’s a reason

Result: Stronger passwords, less frustration, better security.

Use Passphrases, Not Passwords

Create passphrases from personal facts only you know:

“I graduated from Ohio State in 2010 go buckeyes”
“My first concert was Tool in Cleveland 2006”
“I adopted my cat Luna from the shelter in 2018”

Why this works:

40+ characters = exponentially harder to crack
Personally meaningful = easy to remember
Not in any dictionary = safe from dictionary attacks
Unique to you = won’t appear in breach databases

Why people don’t do this:

Websites enforce 16-character maximums (bad design)
Forms reject spaces (also bad design)
People think complexity = security

If a site won’t accept a long passphrase, it has poor security engineering.

Block Common and Compromised Passwords

Some passwords should never be accepted:

Obviously weak:

password, 123456, qwerty
Company name + year
Sports teams
Keyboard patterns (asdfgh, qazwsx)

Previously breached:

Any password in breach databases
Leaked credential lists
Common password dumps

When creating a password, services should check:

Is it longer than 12 characters?
Does it appear in breach databases?
Is it a known common password?

If yes to #2 or #3, reject it. Length requirement prevents brute force, breach checking prevents credential stuffing.

Multi-Factor Authentication: The Essential Layer

Passwords alone aren’t enough. Even a strong password can be phished, keylogged, or shoulder-surfed.

MFA adds a second factor attackers can’t easily steal:

MFA Methods Ranked

Most secure → Least secure:

Hardware security keys (YubiKey, Titan Key)
- Phishing-resistant
- No codes to intercept
- Physical possession required
Authenticator apps (Authy, Microsoft Authenticator, Google Authenticator)
- Generate time-based codes
- Work offline
- Not tied to phone number
Push notifications
- Convenient
- Risk: Users approve without checking
- Vulnerable to push fatigue attacks
SMS codes
- Better than nothing
- Vulnerable to SIM swapping
- Phone number can be ported by attackers

Avoid SMS for important accounts. Attackers can convince your carrier to transfer your number to a new SIM card, intercepting all SMS codes.

I use hardware keys for critical accounts (email, password manager) and authenticator apps for everything else. SMS only when no other option exists.

Enable MFA Everywhere It’s Available

Priority order:

Email (controls password resets for other accounts)
Password manager (master key to everything)
Financial (banks, investment accounts, PayPal)
Social media (prevent account takeover)
Everything else

If an account offers MFA and you’re not using it, you’re one breach away from account takeover.

Password Managers: Essential Tool

Remembering unique 20+ character passwords for every account is impossible. Password managers solve this:

What they do:

Generate random passwords (20-50 characters)
Store passwords encrypted
Auto-fill login forms
Sync across devices
Alert when passwords appear in breaches

Options:

Bitwarden (open source, free tier, $10/year premium)
1Password (polished, family sharing, $3/month)
KeePass (offline, completely local, free)

The one password you must remember: Master password for the password manager itself.

Make it a long passphrase:

“I graduated from Ohio State in 2010 and my first car was a blue Honda Civic”
73 characters
Impossible to forget
Impossible to crack

Everything else can be randomly generated:

kJ8$mN2#pL9@vR5&wX3!qZ7
Unique per site
No need to remember

When I switched to a password manager, I went from reusing 5-6 passwords across 100+ accounts to having unique passwords everywhere. Security increased dramatically while cognitive load decreased.

Breach Monitoring

Set up automated monitoring:

Email alerts:

Have I Been Pwned - Free email notifications
Password managers (most include breach monitoring)

Browser extensions:

Check if site passwords are compromised
Alert during sign-in if password is weak

When you get an alert:

Change password immediately
Check other accounts for reuse
Enable MFA if not already enabled
Review recent account activity

I’ve received 3 breach alerts in the past year. Each time, I changed the password within minutes. No account takeovers, no damage.

What I Actually Do

My current password security:

Passphrase for password manager: 70+ characters, personally meaningful
Unique passwords per site: Random 25-character strings generated by password manager
MFA everywhere: Hardware key for email/password manager, authenticator apps for everything else
Breach monitoring: Automated alerts from Have I Been Pwned
No password rotation: Change only when compromised

Results:

Zero account takeovers in 5+ years
No password reuse across any accounts
Every password unique and strong
Less mental overhead than before

Common Objections

“Password managers are a single point of failure”

True, but:

Encrypted with your master password (even if breached, data is encrypted)
Protected by MFA (can’t access without second factor)
Better than reusing weak passwords everywhere

Risk of password manager breach + crack encryption + bypass MFA is lower than risk of credential stuffing with reused passwords.

“I can’t remember passphrases”

You remember:

Your childhood address
Your first pet’s name
Your favorite teacher from grade school
Where you went on your first date

Combine these into a sentence. That’s your passphrase.

“This is too much work”

Setup takes one weekend:

Install password manager
Create strong master password
Import existing passwords
Replace weak passwords as you use sites
Enable MFA on critical accounts

Maintenance: Zero. The password manager handles everything.

“SMS MFA is fine”

Until someone SIM swaps your number:

Attacker calls carrier pretending to be you
“I lost my phone, transfer my number to new SIM”
Carrier complies (happens frequently)
Attacker receives all your SMS codes

Happened to a colleague. Lost access to email, banking, and social media in under an hour. Used authenticator apps now.

Key Takeaways

What actually improves password security:

Length over complexity: 20+ characters beats uppercase+lowercase+number+symbol
Unique passwords everywhere: Password manager generates and remembers them
Breach monitoring: Know when passwords are compromised
No scheduled rotation: Change when there’s a reason, not on a calendar
MFA everywhere: Preferably hardware keys or authenticator apps, avoid SMS
Passphrases over passwords: Easier to remember, harder to crack

Traditional rules (8 chars, complexity, rotation) create weak passwords. Modern approaches based on how breaches actually happen work better.

The goal isn’t following rules. It’s preventing unauthorized access. Long unique passwords + breach monitoring + MFA accomplish this better than “P@ssw0rd!” rotated quarterly.