Let’s take a look at what makes a password strong, the concept of password entropy and how it affects security. We’ll also examine what some of the best practices for creating and managing passwords look like and finally cover some outdated rules that many organisations still think are best practice but may actually be causing more harm than good.   

The Three Key Factors of Password Strength

A strong password is one that is hard to guess, difficult to crack and long enough to provide substantial protection. Here are some key characteristics of a strong password: 

  • Length: The longer your password, the harder it is to crack. A strong password should be at least 12 characters long. This is one of most important factors. 
  • Complexity: Use a combination of uppercase and lowercase letters, numbers and special characters (e.g. !, @, #, or &). 
  • Unpredictability: Avoid using easily guessable information like your name, birth date or common words like “password” or “123456” 

A common tactic for making a password more secure is to replace characters of a word with a similar looking special character or number, such as “P@55w0rd”. Whilst this does technically make the password more secure than just using “password”, it is still best to avoid using such easily guessable and common words or phrases when doing this. 

Password Entropy and Why It Matters 

One important factor in a password’s strength is entropy. At a high level, entropy refers to the level of randomness in your password. The higher your entropy, the harder it is for a cybercriminal to guess or crack your password.  

For example: 

  • Low-entropy passwords (like “password123” or “qwerty”) are easy for cybercriminals to crack using automated tools because they follow common patterns or use easily guessable information. 
  • High-entropy passwords (like “7!>@WEUe9=N=” or even better “Prude-scalar-dire-notable”) are much harder to crack because they don’t follow common patterns and have more randomness.  

The more unpredictable and random your password is, the higher its entropy – and the stronger your password will be. 

Password Best Practices 

To help protect your accounts, follow these best practices when creating and managing passwords: 

  • Use a passphrase: A passphrase is a string of random words or a sentence that’s easy to remember but hard to guess. As with the examples given in the previous section for high-entropy passwords, the passphrase example is actually considered to have a higher entropy rating than its random characters counterpart. For another example, “Break-Cosmos-River%9” is much stronger than “£b£t9}.Rs33”. 
  • Avoid reusing passwords: Never use the same password for multiple accounts, even if it’s a strong password. If one account gets hacked, all your accounts would be at risk of compromise too. 
  • Changing your password as needed: Whilst it’s not necessary to change passwords frequently (although we will touch on this later), you should change them immediately if you suspect your account has been compromised. 
  • Use multi-factor authentication: Regardless of how strong your password is, it is always best practice to back it up with an extra layer of defence using multi-factor authentication. 
  • Use a password manager: Password managers are tools that securely store and generate complex, unique passwords for your accounts. Some password managers will also notify you if your password has been compromised. 

Multi-Factor Authentication (MFA): An Extra Layer of Protection 

Even with strong passwords, there’s always a chance that someone could gain access to your account. That’s where Multi-Factor Authentication (MFA) comes in. MFA adds an extra layer of security by requiring more than just your password to log in. 

With MFA, you usually need two or more of the following: 

  • Something you know (your password) 
  • Something you have (a code sent to your phone or an authenticator app) 
  • Something you are (a fingerprint or face scan) 

So, even if someone steals your password, they will still need to access your phone or biometrics to get into your account. This extra step makes it much harder for cybercriminals to break in.  

Outdated Password Rules: What’s No Longer Recommended 

As cybersecurity has evolved, so have recommendations around password practices. While many password rules from the past were once considered necessary for security, they’ve since been found to either be ineffective or even counterproductive. Here are some outdated rules that are no longer recommended: 

1)Regularly Changing Password

It used to be common advice to change your passwords every 60 to 90 days, even if there was no evidence of a security breach. However, experts now recommend against frequent, forced passwords changes. Here’s why: 

  • Increased Use of Weak Passwords: When people are forced to change passwords frequently, they tend to create simpler passwords to remember, often making small, predictable changes, such as going from “Password1!” to “Password2!”. These patterns are easily guessable by cybercriminals and therefore do not actually provide any additional security benefits. 
  • Better alternative: Instead of changing passwords regularly, focus on creating strong, unique passwords for each account and only change your password if you suspect it is no longer secure. 

2)Requiring Complex Characters in Specific Patterns

Many websites used to (and still do) enforce strict password creation rules, requiring a mix of uppercase letters, lowercase letters, numbers and special characters. While on the surface, this sounds good for security, forcing users into a specific pattern (e.g. “Password1!”) can lead to predictable passwords that cybercriminals can guess more easily. 

  • Why It’s Outdated: Cybercriminals know these common patterns (capitalising the first letter, using a number at the end, etc.) and can design their password-cracking tools accordingly. This makes “complex” passwords not as secure as people think. 
  • Better Alternative: Use passphrases that are long and random, but easy to remember. For example, “Sunshine-Blue-River!29” is much stronger and easier to remember than “X7kLmN!2”. 

 3)Limiting Password Length to Shorter Values

Many systems used to (and some still do) limit passwords to shorter lengths, like requiring 8 characters minimum and 12 characters maximum, for convenience or due to outdated security policies. However, short passwords are easier to crack, regardless of their complexity. 

  • Why It’s Outdated: Today, the length of a password is often more important than its complexity. Shorter passwords, even with added numbers and special characters, can be cracked with brute force attacks much faster than long ones. 
  • Better Alternative: Create longer passwords or passphrases – ideally 12 characters or more. Longer passphrases that use letters, numbers and symbols are much harder for cybercriminals to crack. 

4)Security Questions as Backup Access 

In the past, security questions (like “What’s your mother’s maiden name?” or “What was the name of your first pet?”) were a common backup method for password recovery. However, these questions are often easy to guess or research, especially with the amount of personal information people share online.  

  • Why It’s Outdated: Cybercriminals can often find answers to security questions through social media, public records or other online sources. This makes them a weak form of authentication. 
  • Better Alternative: Use multifactor authentication (MFA) for account recovery instead of security questions. This ensures that, even if someone gains access to your password, they’ll need an additional factor (like a phone or fingerprint) to access your account. 

How can we help? 

If you’re concerned about the issues raised or unsure how they apply to your organisation, we’re here to help. We can work with you to turn these insights into clear, actionable steps, helping you better understand your exposure, prioritise key risks and strengthen your overall readiness. Get in touch with the Cyber, Data and Information Law team today to start the conversation. 

Whether you are looking to strengthen your processes, navigate risk roadblocks or protect your business from harm, our team is armed with the guidance and tools you need to be by your side and make your business unstoppable.