Home / Blog Posts

Best Password Practices: Tips for Better Password Security

Jul 1, 2024 | Cyber Security

Passwords remain one of the most common ways attackers gain access to business systems. The strongest defence is a password strategy that combines long, unique credentials with MFA, password managers, and phishing-resistant authentication.

Best Password Practices for Businesses

  • Treat passwords as only one layer of security. Require MFA for email, cloud platforms, VPNs, payroll, finance, HR systems, and administrator accounts to reduce the impact of stolen credentials.
  • Adopt passkeys and passwordless authentication where possible. Technologies like Windows Hello for Business and FIDO2 security keys replace passwords with phishing-resistant credentials, helping reduce credential-based attacks while making sign-ins simpler and more secure.
  • Provide employees with an approved enterprise password manager. This helps teams create and securely store unique passwords instead of reusing the same passwords and saving them in browsers, spreadsheets, or notes apps.
  • Replace outdated complexity rules with length-based password policies. Long passphrases are easier for users to remember and harder for attackers to crack than short passwords filled with symbols and forced character combinations.
  • Only require password resets after a suspected compromise or breach exposure. Mandatory password changes every 60 or 90 days create predictable user behaviour and weaker passwords over time.

Why Businesses Need Better Password Policies

For businesses, the best password practices start with five controls:

  1. Use long unique phrases
  2. Store credentials in a password manager
  3. Enable multi-factor authentication
  4. Block known compromised passwords
  5. Implement simple password rules people will follow.

That sounds easy, but this is not how most business IT systems are currently designed.

Many organizations rely on traditional, dated password requirements: eight characters, one uppercase letter, one number, one symbol, and mandatory resets every few months.

Those password rules seem effective, but in practice they often result in predictable behaviour. People reuse passwords, increment numbers on the end, change “o” to “0,” change “a” to “@”, save credentials in browsers, append an exclamation mark, and write the whole thing down. All this is because the rules make passwords hard to make and harder to remember.

The password rules IT has enforced for decades resulted in weak passwords and frustrated users. Businesses need a password security regime that gives employees clear rules, enables IT visibility, and provides leadership confidence that account access is protected.

What Are the Best Password Practices for Businesses?

The best password security practices are practical, easy to enforce, and help reduce cyber risk while improving audit readiness, minimizing password-related support requests, and strengthening your organization’s overall identity security.

A business password program should reduce weak credentials without encouraging workarounds.

Practice What It Means Business Outcome
Use long passphrases Require long passwords and encourage easy to remember phrases Stronger account protection without confusing rules
Make every password unique Use a different password for every account, app, and device Reduced vulnerability since one exposed password does not expose multiple systems
Use a password manager Generate, store, autofill, and audit credentials securely Better password protection through reduced reliance on spreadsheets, browsers, or sticky notes
Enable MFA or passkeys Add a second factor for sign-in Greater resilience as a stolen password alone is not enough to breach your systems
Monitor for compromised credentials Block or reset passwords found in breach lists Limited exposure from stolen passwords traded on the dark web
Train employees on phishing Teach users where and when not to enter passwords Fewer human errors where passwords are submitted on fake login pages

What Makes a Strong Password?

A good password is long, unique, unpredictable, and not connected to personal or business information. Also, a good password is usable. If people cannot remember or manage it safely, they will create shortcuts.

A good password should:

  • Be long enough for the system and risk level
  • Be unique to one account
  • Avoid names, birthdays, company names, pets, seasons, sports teams, and common phrases
  • Avoid predictable substitutions like P@ssw0rd or Welcome2026!
  • Be stored in a password manager when possible
  • Be paired with MFA for important accounts

This is the difference between a strong-looking password and a strong password.

CompanyName2026! may satisfy old password rules, but it’s extremely predictable.

A better approach is a password manager-generated password or a longer passphrase.

How Long Should a Password Be?

Password length matters more than the old rules around complexity.

Use 15+ characters for passwords wherever supported. Where only a shorter password is supported by the system, use a unique password stored in a password manager, and always protect the account with MFA.

For passphrases, use several words, spaces, and capitals to make a full phrase of at least 15 characters. For systems that cannot support long passwords, use the strongest allowed password, avoid predictable patterns, and add MFA wherever possible.

MFA is a vital second layer. However, MFA should not be used as an excuse for weak or reused passwords. Otherwise, you have defeated the point and effectively gone from two factors back to one!

Instead, think of it this way:

Use long, unique passwords or passphrases, store them safely, and protect all important accounts with MFA.

What is a Passphrase?

A passphrase is a longer password made from multiple words. It can include spaces, punctuation, numbers, or symbols, depending on what the system allows.

A strong passphrase uses a unique phrase that is only used by you. It should not be a quote, song lyric, movie line, common saying, company slogan, or sentence that someone could guess from your public information.

Good passphrases work because they are easier for people to remember and harder to guess than short, predictable passwords.

For example, a poor phrase would be:

MayTheForceBeWithYou

It looks long but is weak because it is a famous quote. Attackers have catalogues to iterate through millions of quotes, lyrics, Bible verses, slogans, and common sayings.

A better, personal phrase is:

Mrs. Magoo, in 2002, lived in a shoe

That phrase is a personal invention, easy to remember, and is not based on a famous source or easily inferred by others. You don’t want to use a phrase that can be surmised by investigating your social media or public history.

Passphrase vs Password: Which is Better?

You can decide whether to use a passphrase vs password based on the limits of the system and how the credential will be managed.

Option Best Used For Strength Risk
Password manager-generated password Most business applications, SaaS tools, admin portals, and shared work systems Very strong when long, random, and unique Requires password manager adoption
Passphrase Accounts a user must memorize, such as a master password or device login Strong when long, unique, and impossible to infer Weak if based on quotes, themes, or personal information
Short complex password Legacy systems with restrictive password fields Better than weak passwords, but not ideal Often becomes predictable or reused
Passkey Supported modern services and high-value accounts Stronger because there is no reusable password to steal Not available in every business application

Use password manager-generated credentials for most business accounts. Encourage passphrases whenever people must remember the password.

How Do You Create Strong Passwords?

Choosing how to create strong passwords depends on whether the password will be stored or memorized.

For stored credentials:

  1. Use a business-approved password manager.
  2. Generate a random password.
  3. Use the longest length the system supports.
  4. Use unique credentials for every account.
  5. Store the credential in the approved vault.
  6. Enable MFA on the account.

For memorized credentials:

  1. Use a passphrase.
  2. Choose at least four words.
  3. Make it 15 characters or longer, if supported.
  4. Add separators, capitalization, or numbers only if they help you remember it.
  5. Avoid personal information or popular phrases.
  6. Never reuse it.

These password creation best practices make strong credentials easier to maintain because the user doesn’t need to invent or memorize dozens of passwords.

What Password Examples Are Safe to Learn From?

The password examples list we’ve provided below is for learning only. Do not copy any exact examples into a real account.

Type Example Use It? Why
Common password password123 No Common and predictable
Pattern password Qwerty2026! No Keyboard patterns are easy to test
Personal password MiloBirthday2024! No Pets, birthdays, and family references are guessable
Company-based password CompanyName2026! No Company names and years are predictable
Fake complexity P@ssw0rd! No Substitutions are known attack patterns
Random generated password r8T!vQ2z#L9pW6mA Yes, if generated and stored Long, random, and unique
Passphrase format river-glass-magnet-orbit Yes, if generated uniquely Longer and easier to remember
Security phrase examples Paper cactus project I failed Yes, if unique and unknown Works as a memorable passphrase structure

What Are Good Passwords to Avoid?

“What are good passwords?” is a good question, but in answering it we must be careful not to lead your business into reusing password examples or repeating example patterns.

A password that looks good can be weak if it is predictable, reused, or connected to the person creating it.

Avoid:

  • A personal identification word, such as a nickname, pet name, hometown, family name, or company name
  • Common words with a number added
  • Current season plus year
  • Sports teams and jersey numbers
  • Keyboard paths
  • Passwords based on public social media information
  • The same base password with small changes for each account
  • Passwords saved in plain text files, spreadsheets, email, or chat

Secure passwords are not clever. They are long, unique, and hard to predict.

Which Password Rules Should Businesses Stop Using?

Key Takeaways

  • Retire outdated password policies like mandatory password resets, overly complex password rules, and security questions unless they’re required for legacy systems.
  • Encourage long, unique passphrases instead of short, complex passwords that are harder to remember and easier to reuse.
  • Never share passwords through email, chat, text messages, or shared documents. Use an approved password manager with secure sharing and access controls instead.
  • Choose business-grade password management tools that support secure sharing, auditing, onboarding, offboarding, and policy enforcement, not just browser-based password storage.

Old password rules create more complexity than security. They push employees into patterns attackers already understand.

Scheduled Password Expiry

Change passwords when there is a reason: suspected compromise, known exposure, employee departure, shared accounts, or policy change. Routine resets often lead people to implement small predictable changes.

Complexity Rules and Short Length

A short password with symbols is not better than a long, unique passphrase. Complexity can help in legacy systems that do not allow longer passphrases, but password length and uniqueness carry more value.

Security Questions and Hints

Security questions often use information that can be guessed, found online, or socially engineered. Password hints weaken the secrecy of the credential.

Browser-Only Password Storage for Business Credentials

Browser password storage may be convenient, but it rarely provides the business controls organizations need: secure sharing, reporting, vault access management, onboarding, offboarding, and policy enforcement.

Shared Passwords in Email or Chat

If a credential must be shared, use an approved password manager with access controls and audit visibility. Do not send passwords through email, chat, text messages, or shared documents.

What Password Requirements Should a Business Set?

Modern password requirements should make secure behaviour easier, not harder.

Requirement Recommended Standard
Minimum password length 15+ characters for passphrases and single-factor passwords when supported; use the strongest allowed password in legacy systems
Maximum password length Allow long passwords up to 64 characters, where systems allow it
Passphrases Allow spaces and long word-based credentials when supported
Uniqueness Require a unique password for every account
Blocklist checks Reject common, expected, reused, and breached passwords
MFA Require MFA for business systems, remote access, email, finance, HR, and admin accounts
Password changes Require changes after suspected compromise, known exposure, or role/access changes
Password manager Provide an approved business password manager and direct employees to use it
Shared credentials Share only through approved vault controls
Admin accounts Apply stronger controls, phishing-resistant MFA, and monitoring

These password requirements give the organization a clear standard that can be measured.

How Should Businesses Manage Passwords at Scale?

Password security tips only work when the business can turn them into a managed process.

For Canadian and US businesses, the practical path is:

  1. Assess current password risk. Identify reused credentials, weak passwords, browser-saved credentials, shared accounts, local admin accounts, and accounts without MFA.
  2. Adopt a business password manager. Make secure passwords easier to create, store, share, and revoke. Train users so adoption does not stop after rollout.
  3. Operate with clear ownership. Connect password management to onboarding, offboarding, role changes, vendor access, and help desk workflows.
  4. Secure continuously. Monitor for compromised credentials, review privileged access, test MFA coverage, and update password rules as systems evolve.

This is where many password programs fail. The policy exists, but no one can prove whether users follow it.

F12 helps Canadian mid-market organizations turn password risk and identity complexity into clear, accountable controls. That includes building password and authentication practices that users can follow, IT can manage, and leadership can measure.

What Are the Most Important Password Security Tips?

The strongest password security tips are simple enough to follow and strong enough to truly reduce risk:

  • Use a password manager for most credentials
  • Use passphrases for the few passwords you must remember
  • Make every password unique
  • Use the longest password or passphrase the system supports
  • Enable MFA or passkeys
  • Do not reuse passwords across work and personal accounts
  • Do not use personal information
  • Do not share passwords through email, chat, or spreadsheets
  • Do not rely on forced password rotation as your main control
  • Review exposed, weak, or reused credentials regularly

A good password is one part of identity security.

What Is the Bottom Line for Best Password Practices?

Best password practices do not come from making users remember harder rules.

They come from removing the conditions that create weak passwords in the first place.

You do not need employees to invent clever passwords under pressure. You need clear password requirements, approved password management, MFA, credential monitoring, and a process that works during onboarding, offboarding, remote work, and daily operations.

Strong password tips help users make better decisions.

A managed password security program gives your business control.

Let’s Talk

Frequently Asked Questions About Password Security

Are Passkeys Replacing Passwords?

Passkeys are growing quickly and will replace passwords for many services over time, but not all at once. They are phishing-resistant because there is no shared secret an attacker can steal or trick a user into entering.

Businesses should adopt them gradually where they are supported, such as through Windows Hello for Business and Microsoft Entra ID, while keeping strong passwords and MFA in place everywhere else.

Should Businesses Force Password Changes Every 90 Days?

No. Scheduled expiry pushes people toward predictable, incremental changes that are easier to guess. Require a change only when there is a reason, such as a suspected compromise, known breach exposure, or a role or access change.

Are Browser Password Managers Safe for Work?

Browser storage is convenient but rarely provides the controls a business needs, including secure sharing, reporting, vault access management, onboarding and offboarding, and policy enforcement. For business credentials, use an approved enterprise password manager instead.

How Often Should Employees Change Passwords?

Only when there is a specific trigger, such as a suspected compromise, breach exposure, employee departure, shared-account change, or policy change. Routine, calendar-based resets weaken passwords over time.

What is the Difference Between MFA and 2FA?

Two-factor authentication (2FA) uses exactly two factors to verify identity. Multi-factor authentication (MFA) uses two or more, so 2FA is really one type of MFA. Either way, the goal is the same: a stolen password alone is not enough to access an account.

Can Password Managers Be Hacked?

No system is completely immune, but a reputable enterprise password manager protected by a long, unique master password and MFA is far safer than reusing passwords or saving them in browsers, spreadsheets, or notes. The reduction in risk far outweighs the alternative.

Stay Updated

Subscribe to receive information and updates from F12

Recent POSTS