For years, IT departments told everyone the same thing: 8 characters minimum, one capital letter, one number, one symbol, change it every 90 days. It felt rigorous. Most of it was wrong. Here are five outdated rules security researchers have since debunked — and what replaced each one.
Myth #1: "Complexity beats length"
The old advice: Cram in symbols, numbers, and mixed case to make a password "strong," even if it's short.
What's actually true: A 6-character password with every trick in the book cracks faster than a 20-character string of plain lowercase words. Length dominates password strength because every extra character multiplies the number of combinations an attacker has to try — exponentially, not linearly. A 20-character password isn't twice as hard to crack as a 10-character one; it's astronomically harder.
Do this instead: Aim for at least 16 characters. Length first, complexity second.
Myth #2: "Passwords need to be hard to remember"
The old advice: A "real" password looks like random gibberish — impossible to memorize, so you write it on a sticky note instead.
What's actually true: Four random unrelated words strung together — something like "purple-anvil-forest-lamp" — is both more secure than most "complex" passwords and far easier to remember. This passphrase approach, popularized by the webcomic xkcd, was later validated by NIST's own guidance. The key word is random: "ilovemydog2015" is a phrase, but it's guessable, because it draws on personal information anyone could find on social media.
Myth #3: "Change your password every 90 days"
The old advice: Mandatory periodic password changes, enforced by a calendar.
What's actually true: NIST's updated guidelines explicitly call forced periodic changes counterproductive. When people are required to change passwords every quarter, they predictably do the minimum: "Password1!" becomes "Password2!" — which research shows makes passwords weaker, not stronger.
Do this instead: Change a password when there's evidence of a breach, you suspect someone saw it, or a site that used it got hacked. Not on a schedule.
Myth #4: "One strong password is enough"
The old advice: Pick one really good password and reuse it everywhere — it's strong, so it's fine.
What's actually true: Most account compromises don't come from someone cracking your specific password — they come from credential stuffing, where attackers take leaked username/password pairs from one breach and try them on other sites. Reuse a password anywhere, and one breach becomes ten.
Do this instead: A different password for every account, full stop. The only realistic way to manage that is a password manager (Bitwarden, 1Password, and Dashlane are all solid) — you remember one master password, and it remembers everything else. Our Password Generator creates strong random passwords instantly to paste straight into one.
Myth #5: "A strong password is enough protection on its own"
The old advice: If your password is long and unique, you're covered.
What's actually true: Even a perfect password can be phished or leaked in a breach you never hear about. Two-factor authentication (2FA) means an attacker also needs physical access to your phone or authenticator app — a second lock on the door that a stolen key alone can't open.
Do this instead: Turn on 2FA everywhere it's offered, starting with email, banking, and social media.
The Five Rules That Replaced the Old Ones
- Long passwords (16+ characters) beat complex short ones
- Random passphrases are both stronger and easier to remember
- Only change a password when you have a reason to
- A different password for every account, managed with a password manager
- Two-factor authentication everywhere it's available