Back to Blog
2026-03-176 min read
Technology

Password Policies Are Dead. Here's What to Do Instead.

Complex password rotation policies don't work. Learn what modern authentication looks like and what to tell your IT team to implement today.

Sean P. Conroy

Your company probably has a password policy that looks something like this: minimum 12 characters, must include uppercase, lowercase, numbers, and special characters, must be changed every 90 days, cannot reuse the last 10 passwords.

Here's the problem: that policy is making you less secure, not more.

Key insight: NIST, the federal agency that literally writes the standards for cybersecurity, has formally recommended against mandatory password rotation and complex composition rules. The evidence is clear: these policies drive employees toward weaker security behaviors, not stronger ones.

Why Complex Password Policies Backfire

When you force employees to create complex passwords and change them every quarter, here is what actually happens:

  • They write passwords on sticky notes under their keyboards
  • They use predictable patterns: "Company2024!" becomes "Company2025!" at the next rotation
  • They reuse the same base password across personal and work accounts
  • They call the help desk constantly for resets, draining IT resources

Data point: Research supporting NIST's updated guidelines found that employees who are forced to change passwords frequently are 40% more likely to use predictable patterns or write them down. -Research cited in NIST Special Publication 800-63B

The intent behind these policies is good. The outcomes are not. You are creating the illusion of security while actually widening the attack surface.

What Modern Authentication Looks Like

The good news: better alternatives exist, and they are easier for your employees to use. Here is what you should be moving toward.

1. Passkeys and Passwordless Authentication

Passkeys replace passwords entirely with cryptographic keys tied to a device. Your employees authenticate using their fingerprint, face, or device PIN, no password to remember, phish, or steal. Major platforms including Microsoft, Google, and Apple now support passkeys natively.

2. Password Managers for Everything Else

Not every system supports passkeys yet. For those that don't, a company-managed password manager is non-negotiable. It generates unique, complex passwords for every account and stores them securely. Employees remember one master password; the manager handles the rest.

3. Multi-Factor Authentication Everywhere

MFA should be mandatory on every system that supports it, especially email, cloud services, financial applications, and administrative consoles. Prefer hardware security keys or authenticator apps over SMS-based codes.

Stop using SMS for MFA

SMS-based two-factor authentication is vulnerable to SIM-swapping attacks, where criminals convince your phone carrier to transfer your number to their device. Move to authenticator apps or hardware keys for any account that matters.

What to Tell Your IT Team This Week

You don't need a six-month project to start improving. Here are five directives you can give your IT team today:

  1. Stop requiring password rotation unless there's evidence of compromise. Adopt NIST 800-63B guidelines.
  2. Deploy a company-wide password manager. Options like 1Password Business or Bitwarden Enterprise can be rolled out in days, not months.
  3. Enable passkey support on every platform that offers it. Start with Microsoft 365 and Google Workspace.
  4. Mandate MFA on all critical systems using authenticator apps or hardware keys, not SMS.
  5. Audit your current password policy and remove complexity requirements that drive bad behavior. Focus on minimum length (12-15+ characters, or longer for password manager-generated credentials) and check passwords against known breach databases.

Key Takeaways

  • Complex rotation policies create weaker security, They push employees toward predictable patterns and workarounds
  • Passkeys are the future, Adopt them wherever possible to eliminate passwords entirely
  • Password managers are today's solution, Deploy one company-wide for every system that still requires passwords
  • MFA is mandatory, Use authenticator apps or hardware keys, not SMS

The shift away from traditional passwords is not optional, it is inevitable. The only question is whether you lead the transition or get forced into it after a breach. For a deeper dive into building modern security infrastructure, see Cybersecurity for CEOs.

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately
Download Free ChapterLearn About the Book

No spam, ever. Unsubscribe anytime. We respect your privacy.