Back to Posts Password reset logo

Password Reset: Volume 4

Oct. 29, 2025

Why Most Password Policies Fail, and What to Do Instead

In late 2022, attackers breached Uber’s internal systems by tricking an employee into approving a login request. The company used multi-factor authentication (MFA), but the attacker bombarded the employee with push notifications until they finally tapped “approve.”

That single action gave the hacker access to sensitive data, internal tools, and source code.

This isn’t rare. It’s routine.

Most password policies were written for a different era. They rely on outdated rules that frustrate employees and fail to stop hackers. Complexity requirements, forced changes, and lockouts don’t improve security. They just create friction.

This post breaks down what’s wrong with traditional password policies and how to build one that actually works.

The Problem with Old-School Policies

  • Forced changes lead to weaker passwords. Employees add a number or change one character to meet the requirement. Attackers know this.
  • Complexity rules don’t stop breaches. “Password1!” meets most policies but is easily guessed.
  • Lockouts punish users, not attackers. Brute-force tools can slow down and avoid detection. Real users get locked out and call IT.

These rules don’t improve security. They just make it harder for people to do their jobs.

What Modern Policies Do Differently

Based on updated guidance from the National Institute of Standards and Technology (NIST), here’s what works:

  • Require a  minimum length (at least 8 characters)
  • Encourage passphrases instead of complex strings
  • Screen passwords against known breach databases
  • Skip forced expiration unless there’s evidence of compromise
  • Use  multifactor authentication for sensitive systems
  • Support  password managers  to reduce reuse and improve storage

This approach improves security and reduces help desk tickets. It also builds trust with employees, who stop seeing security as a barrier.

What Business Leaders Need to Know

Password security isn’t just an IT issue. It’s a leadership issue.

  • If your team sees executives writing passwords on sticky notes, they’ll do the same.
  • If your policy is confusing or punitive, employees will find workarounds.
  • If you don’t enforce standards, attackers will find the gaps.

A clear, modern policy helps build a culture of accountability. It also supports compliance with frameworks like SOC 2, HIPAA, and CMMC without overwhelming your team.

Tools to Help You Get Started

We’ve created a general-use password policy template and a checklist for onboarding and training. These resources are designed for business leaders, not just IT teams.

[Download the Password Policy Template]

[Download the Onboarding Checklist]

Related Resources

Need help optimizing your passwords?

Call (734) 744-5300 or Contact Us to schedule a consultation with our team of professionals.

Cybersecurity Risk Assessment

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cyber's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Learn More