Passwords, MFA, and Real-World Security

Most password policies are fighting the last war

The classic corporate password policy, with its forced changes every ninety days and its demand for an uppercase letter, a number, and a symbol, was well intentioned and is now actively counterproductive. It pushes people toward predictable patterns and sticky notes under keyboards. Modern guidance from bodies like NIST has moved on, and aligning your practice with it makes your organisation both more secure and less irritating to work in.

Length beats complexity

The single most useful change is to favour long passphrases over short, complex strings. A passphrase like four unrelated words strung together is far harder to crack than a short password peppered with symbols, and far easier for a human to remember. Set a generous minimum length, allow the full range of characters including spaces, and stop imposing arbitrary composition rules that only produce password-one, password-two, and so on.

Just as importantly, stop forcing routine expiry. Current guidance is to change passwords only when there is evidence of compromise. Forced rotation trains people to make tiny, predictable edits, which weakens rather than strengthens security.

Screen against what attackers already know

Attackers do not guess passwords at random. They use lists of credentials leaked from past breaches. The most effective defence is to check new passwords against known-compromised lists and reject any that appear. A password that has been seen in a breach is worthless no matter how complex it looks. Many identity platforms offer this screening built in, and turning it on closes a huge category of attack quietly.

MFA is the control that actually matters

If passwords are the lock, multi-factor authentication is the deadbolt, and it stops the overwhelming majority of account compromises. But not all MFA is equal, and it is worth being deliberate about the method.

• SMS codes are better than nothing but vulnerable to SIM-swapping and interception. Treat them as a fallback, not the default.
• Authenticator apps generating time-based codes are a solid, widely supported middle ground.
• Hardware keys and passkeys built on the FIDO2 standard are the strongest option, because they resist phishing by design.

Wherever feasible, push toward phishing-resistant methods. The shift to passkeys in particular is making strong authentication genuinely easy for ordinary users, removing the friction that historically held MFA back.

Give people a password manager

You cannot ask people to use a unique, long passphrase for every service and remember them all unaided. A password manager makes the secure path the easy path. Provide one, train people to use it, and the perennial problem of password reuse, where one breached site exposes a dozen accounts, largely disappears. For a business, a managed team password vault also lets you handle shared credentials and offboarding cleanly.

Aim for fewer passwords, not just better ones

The longer-term direction is to reduce how many passwords your people handle at all. Single sign-on consolidates access behind one strong, well-protected identity, so staff authenticate once rather than juggling dozens of logins. Fewer passwords means fewer chances to reuse, leak, or mistype them, and it makes enforcing MFA across everything far simpler.

Deal with shared and service accounts deliberately

Personal logins are only half the picture. Most organisations also have shared accounts, such as a social media login several people use, and service accounts that software uses to talk to other software. Both are frequently the weakest point, because nobody owns them, their passwords are rarely rotated, and MFA is awkward to apply. Tackle them head-on. Put shared credentials in a team password vault with controlled access and an audit trail, so you know who used what and can revoke access cleanly when someone leaves. For service accounts, prefer modern approaches like managed identities or API keys with tightly scoped permissions over a human-style password, and document what each account is for so it does not become an orphaned backdoor.

Roll changes out with people, not at them

Tightening authentication touches everyone, every day, so how you introduce changes determines whether they stick or get worked around. Explain the why, not just the what; people accept a little friction when they understand the risk it addresses. Pilot new measures with a friendly group first, smooth out the rough edges, then expand. Provide clear guidance and a support route for the inevitable questions, especially around enrolling in MFA and adopting a password manager. Roll out enforcement in stages rather than flipping a switch on the whole organisation at once, so problems surface in a small group rather than as a flood of locked-out users. Security changes that ignore the human side tend to breed the very workarounds they were meant to prevent.

How BSH can help

BSH Technologies helps organisations modernise authentication, from sensible password policy and breach screening to phishing-resistant MFA, password managers, and single sign-on. If your password rules are stuck in the old world, we can help you move to an approach that is both stronger and easier to live with.