Common Password Myths

A combination lock with rotors spelling out the word "password"

Passwords are a huge part of security.

Done right, they can be pretty secure. Done wrong, they can be bypassed in a matter of seconds.

It’s no surprise that companies want to make sure their employees use decent passwords. But when there are so many myths about them, this can be difficult.

Myth #1: Passwords need changing every so often

This is the big one. Passwords don’t magically lose their security after a week, a month, or even a year.

So long as they’re strong and nobody else knows them, there’s no reason to ever change a password.

Some experts even think forcing people to change passwords regularly could be counterproductive. It gives people more things to remember, possibly encouraging them to do something like write down their current password in a public place.

A pair of post it notes

Of course, you should immediately change your password if it’s weak, or if you’ve reused it somewhere, or if you think someone else might have it. But that doesn’t mean people should be forced to change their passwords, say, every 90 days.

Myth #2: Good passwords need special characters and numbers

As we said in our free password security course, the key to making a strong password is making it hard for a computer to guess.

Computers are generally good at guessing short, complicated passwords (“L1K3Th!sOne”) but bad at cracking long, simple ones (“like this one we’re typing on our keyboards right now”).

We always advise people to make their passwords as long as they can, while still being a little random and using words that shouldn’t go together.

“The kittehs of Sheffield have long tails” is much more secure than “H7j65s@@”, as well as being much easier to remember.

A cute cat with a long tail

Myth #3: It’s only mildly dangerous to reuse a password

Password reuse is one of the biggest security mistakes there is.

This isn’t just because someone who steals your password could then reuse it for another website.

Big websites like Facebook and LinkedIn sometimes get hacked. When this happens, people’s passwords on those sites can become public knowledge.

Nobody knows how many passwords have been lost like this, but experts think it’s well into the billions. 

If you reuse your passwords, change them right away. Otherwise, it’s only a matter of time until you get hacked.

With 95% of hacks caused by workers making mistakes, it’s more important than ever to train our employees. That’s why we made Toffee; a fun, all-in-one training package designed with you in mind.