Password Security Best Practices: Beyond Complex Passwords

For decades, the standard advice for password security was to create passwords with uppercase and lowercase letters, numbers, and special characters, change them every 90 days, and never write them down. That guidance is now outdated. Security research, real-world breach analysis, and updated guidance from NIST, Microsoft, and other authorities have fundamentally changed what we know about effective password security. In 2025, the best password practices look very different from what most people learned.

Why the Old Rules Failed

Traditional password policies were well-intentioned but produced predictable human behavior that attackers exploited:

• Forced complexity bred predictable patterns. When required to use uppercase, lowercase, numbers, and symbols, most people followed the same pattern: capitalize the first letter, add numbers at the end, and append a symbol. "Password1!" meets every complexity requirement but is trivially cracked.

• Frequent rotation led to weaker passwords. When forced to change passwords every 90 days, people made minimal changes: "Summer2024!" became "Fall2024!" became "Winter2025!" Attackers who cracked one could predict the next.

• Prohibiting written passwords caused reuse. Unable to remember dozens of complex, frequently changing passwords, people reused the same password or simple variations across multiple accounts. One breach then compromised many accounts.

• Complexity requirements did not increase entropy meaningfully. An 8-character password with forced complexity has less entropy than a simple 16-character passphrase. The complexity rules gave a false sense of security.

Modern Password Guidance (NIST SP 800-63B)

The National Institute of Standards and Technology (NIST) updated its Digital Identity Guidelines to reflect current research. Key changes include:

• Favor length over complexity. A minimum of 8 characters is required, but 15 or more is recommended. Longer passwords are harder to crack than shorter complex ones.

• Do not require arbitrary complexity rules. Forcing uppercase, numbers, and symbols is no longer recommended because it leads to predictable patterns without significantly improving security.

• Do not require periodic password changes. Passwords should be changed only when there is evidence of compromise, not on an arbitrary schedule.

• Screen passwords against known breaches. New passwords should be checked against databases of compromised passwords (like Have I Been Pwned) and rejected if they appear.

• Allow all printable characters and spaces. Do not restrict which characters can be used in passwords. Support long passphrases including spaces.

• Do not use password hints or knowledge-based authentication. Security questions are easily researched and should not be used as a recovery mechanism.

Passkeys: The Future of Authentication

Passkeys represent the most significant advancement in authentication technology in decades. Based on the FIDO2/WebAuthn standard, passkeys replace passwords entirely with public-key cryptography:

• How passkeys work: When you register with a service, your device generates a public-private key pair. The service stores the public key. When you log in, your device uses the private key to sign a challenge from the service. The private key never leaves your device and is never transmitted over the network.

• Phishing immunity: Passkeys are bound to the specific website domain. A phishing site cannot request a passkey created for the legitimate site because the domain does not match. This eliminates phishing for credentials entirely.

• No shared secrets: Unlike passwords, there is nothing stored on the server that an attacker could steal and use to impersonate you. The server has only the public key, which is useless without the corresponding private key.

• Biometric or PIN unlock: Passkeys are protected on your device by biometric authentication (fingerprint or face recognition) or a device PIN. You authenticate to your device, and your device authenticates to the service.

• Cross-device sync: Apple, Google, and Microsoft all support syncing passkeys across devices through their respective ecosystems (iCloud Keychain, Google Password Manager, Windows Hello).

Major services including Google, Apple, Microsoft, Amazon, PayPal, and many others now support passkeys. Adoption is accelerating rapidly. Where passkeys are available, they are the recommended authentication method.

Password Managers: Essential Until Passkeys Are Universal

Until passkeys are supported everywhere (which may take several more years), password managers remain essential. A password manager:

• Generates truly random passwords of any length for each account

• Stores passwords in an encrypted vault protected by a single master password

• Auto-fills credentials, saving time and protecting against phishing

• Syncs across all your devices

• Identifies weak, reused, and breached passwords

• Stores passkeys alongside traditional passwords during the transition period

Recommended password managers include 1Password, Bitwarden, and Dashlane. All offer individual, family, and business plans. The specific manager matters less than actually using one consistently.

Multi-Factor Authentication: Your Critical Safety Net

Even the best password practices cannot prevent all compromise. Multi-factor authentication ensures that a stolen password alone is not enough to access your account. MFA should be enabled on every account that supports it, with these methods ranked from most to least secure:

1. Hardware security keys (FIDO2): Physical devices like YubiKeys. Phishing-resistant and the most secure option.

1. Passkeys: When used as a second factor, they provide strong, phishing-resistant verification.

1. Authenticator apps: TOTP codes from apps like Microsoft Authenticator, Google Authenticator, or Authy. Secure against remote attacks but can be phished in real time.

1. Push notifications with number matching: Notifications that require you to enter a number displayed on the login screen. More secure than simple approve/deny push.

1. SMS codes: Better than no MFA but vulnerable to SIM-swapping attacks. Use only when no better option is available.

Your 2025 Password Security Action Plan

Here is what to do right now to bring your password security up to date:

1. Adopt a password manager if you have not already. Import your existing passwords and begin using generated passwords for all accounts.

1. Enable passkeys on every service that supports them (Google, Apple, Microsoft, Amazon, PayPal, and more).

1. Enable MFA on all accounts, prioritizing email, financial services, and social media.

1. Run your password manager's security audit to identify weak, reused, and breached passwords. Replace them with generated passwords.

1. Stop using security questions as a recovery mechanism. Use random answers stored in your password manager instead.

1. Check Have I Been Pwned to see if your email addresses appear in known breaches and change any compromised passwords.

Bellator Cyber Guard helps individuals and organizations modernize their authentication practices. From deploying password managers and passkeys to implementing enterprise-grade MFA and training users on modern security practices, we provide practical guidance that reflects how authentication actually works in 2025. Contact us at guard@bellatorit.com to upgrade your password security.