The New Password Strategy: Long, Strong, and Not About You
For years, the rule was clear: add symbols, numbers, and capital letters. The result? Passwords no one can remember and plenty of Post-it notes.
We need a better way. The answer starts with length, then adds light complexity that’s easy to handle and hard to crack.
Why Longer Still Wins
Hackers don’t guess passwords by hand. They use software that runs through millions of combinations per second. A longer password creates more combinations. That’s what slows them down.
An 8-character password with every symbol on your keyboard? Crackable in days. A 16-character phrase with mixed case, a symbol or two, and a couple of numbers? Much harder to break.
Smart Passphrases That Hold Up
Start with real words. Add a bit of structure. You end up with passwords people can actually use without making life easy for attackers.
Examples:
- Books&LaddersCl1mbAtNight
- Canoe!FrozenLakeRuns2024
- QuietDogs$SleepInTents
They’re long, structured, and hard to crack. But they’re not personal.
Leave Your Life Out of It
Attackers use your online footprint against you. If your password includes:
- A partner’s name
- A child’s birthday
- Your dog’s name
- The city you grew up in
- Anything you post on social media
It’s easier to guess than you think. Avoid anything that could show up in a Facebook quiz or your LinkedIn profile.
The Only Rule You Need
Tell users to:
Create a 3 to 5 word passphrase with some numbers, capital letters, and a symbol. Don’t use personal info. Never reuse it.
Examples:
- Lobster!Drives4TaxiDaily$
- BooksAndTrains@Night2025
- BuilderLogsJump!Midnight
How to Roll It Out
- Pick a pilot group.
- Let them try it without forcing changes.
- Track how many adopt it and how many still lean on old habits.
- Only enforce once the results show it’s working.
What to measure:
- Password reset volume
- Passphrase adoption
- Use of personal info
- Support desk feedback
What Your Policy Should Do
- Set the minimum length to 14 characters or more
- Stop requiring a mess of forced symbols
- Block passwords already leaked in breaches
- Allow users to reset passwords on their own
- Monitor passwords that include names or common patterns
What This Looks Like
A user sets IslandSkaterRunsAt5am2025!. It’s easy to remember, long enough to be secure, not based on personal trivia, and hasn’t shown up in any known breach.
Six months later: no reset ticket, no sticky note, no problem.
Security That Holds Up in the Real World
This isn’t about lowering the bar. It’s about giving people one clear rule that helps them succeed and keeps attackers out.
If your password policy still asks for symbols but ignores length or lets people use their birthday, it’s time to fix it.
Think your password policy is holding up? Let’s find out. Book a free cybersecurity assessment with CasCom today.
