Password Security in 2025: What Actually Protects Your Accounts
The rules most people follow are outdated, counterproductive, and based on 2003 guidance the author himself later called a mistake. Here's what the actual research says and what genuinely protects you.
Most people follow these password rules: uppercase, lowercase, numbers, symbols, change every 90 days, never write it down, make it unique but also memorable. The result is either genuinely random passwords stored somewhere insecure, or slightly modified versions of the same password everywhere. Both outcomes are bad.
The conventional wisdom about passwords is largely wrong — and it comes from a single 2003 document the author later publicly regretted.
Why Complexity Rules Mostly Don't Work
The uppercase-lowercase-numbers-symbols requirement was popularised by a 2003 NIST publication by Bill Burr. In a 2017 Wall Street Journal interview, Burr said of that guidance: "Much of what I did I now regret." NIST updated their guidelines in 2017 and explicitly recommended against mandatory complexity rules and forced periodic changes.
Here's why complexity backfires: when you force users to add a capital and a number to a word, they do it in entirely predictable ways. Password1! technically satisfies every complexity rule. So does Summer2025!. Attackers have databases of exactly these patterns. These passwords crack trivially despite meeting requirements.
What Actually Determines Strength: Entropy
Password strength is measured by entropy — bits of unpredictability. Each additional bit doubles the number of guesses required. The key insight:
Length matters more than character set size. A 20-character lowercase-only password has more entropy than a 10-character password using the full printable ASCII set.
🔑 Secure Password Generator
Generate cryptographically secure passwords with live entropy scoring. Runs entirely in your browser — nothing is transmitted or stored.
The Case for Passphrases
A passphrase is a sequence of randomly selected words: correct horse battery staple (from the famous XKCD comic). The key word is random — not a sentence you'd naturally form. "My dog is named Buddy" is not a passphrase; it's a sentence, and attackers use natural language models. True passphrases pick words via dice roll or CSRNG from a curated word list (diceware).
Six random words from a 2048-word list gives ~66 bits of entropy — genuinely strong, memorable, and typeable on any keyboard.
Password Managers: The Only Practical Solution
You need a unique strong password for every account. Humans can't memorise hundreds of them. Therefore passwords must be stored somewhere. A password manager stores them encrypted, syncs across devices, and autofills — removing all friction from the right behavior.
- Bitwarden: Open source, audited, free tier includes cross-device sync. What most security-conscious developers actually use.
- 1Password: Excellent UX, great team sharing, Travel Mode for border crossings. $3/mo personal.
- KeePassXC: Offline only, open source, free forever. Requires your own sync solution but nothing touches the cloud.
2FA Matters More Than Password Strength
Here's something rarely stated clearly: a mediocre password plus 2FA is more secure than an excellent password without it. Credential stuffing — attackers trying breached username/password pairs on other services — is among the most common attack vectors. 2FA stops it entirely regardless of password quality.
What to Do Today
- Install Bitwarden if you don't have a password manager.
- Change your email account password to a 20+ character random password and enable 2FA immediately.
- Enable 2FA on your domain registrar and hosting accounts — these control your entire online presence.
- Over the next week, rotate passwords for important accounts as you log into them naturally.
- Stop reusing passwords. With a manager, there is no reason to.
The question isn't whether your credentials have been exposed in a breach. They almost certainly have. The question is whether those credentials work anywhere else.