Skip to content
Breachroad
Back to the blog
Authentication

Strong passwords: busting the myths, showing what works

Change your password every 30 days? Invent complex character strings? We explain which password rules are outdated myths and what really protects your accounts.

KR
Karol Rapacz
15 April 2026 · 9 min read
Strong passwords: busting the myths, showing what works

For years we were taught password rules that today turn out to be not just ineffective but actively harmful: “change it every month”, “add a digit and a special character”, “never write it down anywhere”. Modern security knowledge (and guidance like NIST) turned those rules upside down. It’s worth knowing which password “truths” are now myths and what really protects your accounts — because passwords are still the first line of defence for most services.

Myths worth saying goodbye to

Myth: “Change your password every 30/90 days.” Forcing frequent password changes worsens security. Compelled to keep changing, people create weak, predictable variants (Password1!, Password2!, Password3!) and write them on sticky notes. Today the advice is to change a password only when there’s a reason — a suspected leak or compromise. NIST guidance says the same.

Myth: “The more special characters, the better.” “P@ssw0rd!” looks complex, but for a password cracker it’s trivial — because letter-substitution patterns (a→@, o→0) are well known. Password strength is decided mainly by length and unpredictability, not the number of symbols.

Myth: “Never write passwords down anywhere.” That rule was born when “writing down” meant “on a sticky note under the keyboard”. Today a password manager is the best way to store them — a secure vault that remembers hundreds of unique, random passwords for you. “Don’t write it down” became “don’t memorise it — use a manager”.

Myth: “One strong password is enough for everything.” This is the most dangerous myth. Even the strongest password used in many places is only as safe as the weakest service you used it on — because after a leak it flows into credential stuffing attacks on all your accounts.

What really works

Long passphrases instead of short “complex” passwords. Four or five random words (e.g. “bicycle-cloud-tiger-coffee-72”) is far harder to crack than “P@ss1!”, and easier to remember. Length beats complexity.

A unique password for each service. This is the most important rule. It means a leak from one place doesn’t cascade to the rest of your accounts. You can’t memorise hundreds of unique passwords — which is why…

A password manager. It generates long, random, unique passwords and remembers them for you. You remember one strong master password (protected with MFA). It’s the single change with the biggest impact on the security of your accounts.

MFA wherever possible. Even the best password can leak. A second factor — ideally an app or a key/passkey, not SMS — stops login with a stolen password.

Passkeys — the password-free future. More and more services support passkeys: login without a password, phishing-resistant by design. Where they’re available, it’s worth using them.

How to check whether your password is secure

Three quick tests: is it long (at least 12–16 characters, or a passphrase of 4+ words)? Is it unique (not used anywhere else)? Has it appeared in a leak (your password manager or browser will warn you)? If the answer to any is “no” — it’s time to change it and move to a manager.

Frequently asked questions (FAQ)

Should I really not change passwords regularly? There’s no need to change a good, unique password “just in case” every month — that worsens password quality. Change a password when there’s a reason: a service leak, a suspected compromise, sharing that has ended. The exception is shared and service passwords, which are worth rotating after people with access leave.

Is saving passwords in the browser safe? Better than reusing one password, but worse than a dedicated manager. Passwords in the browser profile leak together with the profile — infostealers extract them in seconds. A manager with a separate master password and MFA raises the bar.

How do I create a good master password for the manager? Use a long passphrase of 4–5 random, unrelated words — easy to remember, hard to crack. It must not be used anywhere else and should be protected with MFA. It’s the only password you have to remember.

Will passkeys replace passwords entirely? Over time probably yes, but it’s a process — not all services support them. For now the strategy is hybrid: passkeys and keys where possible, a password manager with unique passwords and MFA for everything else. We covered this in more depth.

How do I roll out good password practices in a company? A business password manager, enforced MFA, an end to forcing frequent change without reason, and a unique-password policy are the foundation. We describe this in our password managers for business article. We’ll help you deploy itget in touch.

Summary

Many “old truths” about passwords are now myths: frequent change harms, special characters matter less than length, and “don’t write it down” became “use a manager”. What really protects accounts is simple: long passphrases, a unique password per service (thanks to a manager), MFA everywhere and passkeys where available. Deploying a password manager is the single change with the biggest return — start with it today.


Sources and further reading: NIST SP 800-63B, Have I Been Pwned.

Share this article

Services Book a consultation