For security leaders, ensuring employees use strong, secure passwords to log into websites, applications, and company systems is imperative. But best practices have changed a lot over the last few years.
Here’s a quick look at what we recommend in 2026:
- Ensure all employees are using a password manager. This allows employees to use complex, unique passwords for each website or application without having to remember what those passwords are.
- Don’t require employees to change their passwords on a regular rotation. While this was once considered a best practice, it actually encourages employees to use simple passwords that are easy to guess.
- When possible, use a passkey instead of a password.
Let’s take a closer look at what to do—and what not to do—when it comes to password security.
DON’T: Require Password Rotations
“Modern wisdom tells us that required password rotations and expirations encourage bad passwords,” said Larry Kinkaid, manager of cybersecurity consulting at BARR Advisory.
This is because when employees are required to update their passwords frequently, they tend to use simpler, less secure passwords.
The more complex a password is, the longer it takes bad actors to hack into the account using brute force methods. But remembering many long, complex passwords is a challenging feat for any employee. This is why Kinkaid recommends using a password manager tool.
DO: Use a Password Manager
“IT departments really should require the use of password managers for anything that is browser-based, and strongly encourage it for other applications,” Kinkaid said.
Password managers allow employees to use long, complex passwords without having to remember what they are.
“Some password managers even have capabilities baked in to alert users about compromised or weak passwords so they can be more proactive about changing them,” Kinkaid said.
A password manager can also help streamline the offboarding and deprovisioning processes when team members leave the company.
“Once a user is separated from the organization and they lose access to their password manager, they also lose access to company tools and resources that require a password—and they can’t reset them, because they no longer have access to their work email,” Kinkaid said. “This helps create more assurance that terminated employees don’t retain residual access to systems (including shadow IT systems).”
Of course, “no password manager can completely eliminate the risk of a data breach,” Sarah Varnell, a manager on BARR’s attest services team, noted.
“That said, it’s still considered safer to use a password manager, as these tools enable users to choose strong, unique passwords for each of their accounts without resorting to old habits like reusing passwords that are easy to remember with common permutations or writing them all down on paper,” Varnell added.
DO: Ensure Every Password is Unique
Security experts have long advised against reusing passwords across multiple accounts, because this allows bad actors to more easily broaden their attack surface. Once a hacker knows one of your passwords, they have access to all of your accounts using that same password.
For teams using password managers, choosing a unique master password for this tool is especially vital. “It puts a lot of onus on your main credentials, because they are literally keys to the kingdom,” Kinkaid said.
However, he contends the benefits of password managers far outweigh this risk.
“It’s a lot safer, because you’re no longer reusing passwords—each system credential is vastly unique,” Kinkaid said. Most password managers are able to generate unique, complex passwords for you with just a few clicks, making it quick and easy for employees to use safe passwords without worrying about how to remember them.
With password managers, “increasing password complexity to 18 or 24 characters and including lowercase letters, uppercase letters, numbers, and symbols is a trivial and easy decision because it doesn’t impact the user experience,” Kinkaid said.
DON’T: Forget about passkeys.
Passkeys work by utilizing cryptographic keys: a public key and a private key. The public key is stored by the service provider, such as Google or Microsoft, while the private key remains securely on the user’s device. This private key is never shared, making it virtually impossible for attackers to intercept.
Here’s how passkeys operate in practice: When logging in, the user’s device responds to a security challenge from the server by using biometrics or a PIN to unlock the private key. If the private key matches the public key held by the server, access is granted. This process ensures that even if the public key is compromised, it cannot be used without the corresponding private key.
This offers several significant security advantages over traditional passwords. Firstly, there is no password to phish. Since users are not required to type in a password, there is no risk of it being stolen through phishing emails or fake login pages.
Additionally, passkeys require biometric authentication or a device PIN, adding an extra layer of security. Even if a malicious actor gains physical access to a user’s device, they would still need the user’s fingerprint, face, or PIN to proceed.
Furthermore, the private key never leaves the user’s device, eliminating the risk of it being intercepted during transmission or stored on a vulnerable server. This ensures the user’s credentials remain secure, even in the event of a server breach.
DO: Use passphrases when a passkey or password manager isn’t an option.
When it’s not possible to use a passkey or password manager, using a “passphrase” is the best option to ensure your password is both strong and memorable. By stringing many unrelated words together to create a nonsensical phrase or sentence, users can create a lengthy password that is personal to them “so it’s easy to remember, but it has at least 16 characters and preferably includes all four complexity markers (upper and lowercase letters, numbers, and symbols),” Devin Olsen, a senior consultant on BARR Advisory’s attest services team, wrote in a blog post.
“In general, the longer the password, the better off it is,” Olsen wrote. “The time it takes to crack a password increases exponentially as more characters are added.”
The Bottom Line
The biggest takeaway for security leaders? “Truly, I think a bad password is any password that you know,” Kinkaid said.
This makes password managers and passkeys the best options for securing users’ accounts.
The less red tape there is for employees, the more likely they will be to take advantage of these features. Security leaders should strive to use tools that integrate with the browser and educate team members about why it’s so important to practice good cyber hygiene when it comes to passwords.
“The biggest hurdle to reaching this vision is end-user awareness and adoption. It is a different way to think about how you manage your credentials than many people are used to,” Kinkaid said. “But as long as it’s baked into the end-user experience via their browser, it’s a no-brainer. Rarely does security actually make a process easier, but we can count this one as a win—both for security and usability.”
Need help educating your team on cybersecurity dos and don’ts? Our consultants can help. Contact us today.