June 09, 2025
Why Strong Passwords Still Matter and What's Next for Identity Protection
Did you know that the average number of passwords per person
in the workplace is 87? Eighty-seven! Not only is that a lot of account
credentials to remember, but it's also potentially a lot of open doors for
hackers to take advantage of. After all, according to Verizon's 2025 Data
Breach Investigations Report, credential abuse is still the most common vector for
initial exploit access… a 34% increase from the prior year's report.
Passwords aren't the end-all, be-all... and they're not your only line of defense. Cybersecurity
experts at the National Institute of Standards & Technology (NIST) actually
encourage you to avoid relying on passwords whenever possible. Knowing that passwords
aren't going away tomorrow, let's learn about some ways to create strong
passwords, stay secure, and prepare for the future of identity protection.
Five Tips for Safer Access and Credential Management
1. Use a Long Passphrase Instead of a Password
NIST now recommends passphrases of 15 characters or more. That doesn't mean adding random symbols—it means stringing together several unrelated words, which are easier to remember and exponentially harder to crack. For example: "RiverCalendarGlassStudio91!" - it's over 15 characters, memorable, and random enough to be hard to guess.
When creating your passphrase, avoid common
words, patterns or tricks. 42% of people who have been hacked have passwords
that use a combination of letters and numbers with personal significance…
making them easier to guess! (Forbes Advisor)
Fun fact: did you know that a one character password made from lowercase letters can be cracked in 26 tries. A 15-character passphrase, however, could take over 500 years by a computer to brute-force at 100 billion guesses per second.
The ET&T team can recommend online random
passphrase generators - reach out and we can help!
2. Use a Passkey
Passkeys are a new way to prove your identity online by storing a private digital key on a device you already carry around, like your phone. Using biometric sensors (such as a fingerprint or facial recognition), pin, or pattern, users can login to apps and websites without having to remember and manage passwords.
You may already be using Passkeys on your iPhone, as they've already become widely adopted across Google, Apple and Microsoft. If you've ever been prompted to automatically "Use Face ID to Sign in," you're
creating a passkey that's being saved to your iCloud Keychain. In this way, you're
creating uniquely generated credentials for every account on your device, which
are less vulnerable to phishing.
3. Activate Multi-Factor Authentication (MFA)
MFA provides an extra layer of security that can help protect your account even if your password has been compromised. You probably already use this if you've ever been prompted to accept a "Push Notification" or input a code to verify your sign-in using tools like Microsoft Authenticator, DUO, or even text messages. When using multi-factor authentication, even if a hacker has your username and password, it's much harder for attackers to access the second device or verification tool needed to log in.
4. Password Managers
You don't need to remember 250 unique logins. Let a trusted password manager handle it. These tools store your credentials securely and can even generate strong passwords for each new account. Just make sure your master password (the one that unlocks your vault) is long, strong, and unique. That's your single point of control.
5. Smarter Password Policies - Not Stricter Ones
Old-school policies like requiring symbols, changing passwords every 30 days, or limiting pastes do more harm than good. According to both NIST and Huntress, these rules push users toward shortcuts—like reusing passwords or writing them down.
Since passwords are ultimately susceptible, it
may make sense to change them when required. If you think your account has been
compromised, when a password has been shared or members of your team come and
go, or when privileged access requirements change, the ET&T team may
recommend a reset. Routine resets, however, tend to just lead to weaker
passwords and user frustration.
They protect your client data, financial
systems, intellectual property—and your reputation.
Strong passwords, passphrases, and passkeys,
backed by MFA and smart policies, are the foundation of a resilient
cybersecurity plan. Whether you're running a CPA firm, a local municipality, or
a law office, secure credentials are just as critical as any firewall or
antivirus software.
If you'd like help educating your team or
reviewing your firm's password practices, ET&T is here to help translate
the tech into plain English—and set you up for safer, smarter operations.
Ready to evaluate your business's password policies?
Click Here or call us at 610-433-1000 to schedule a FREE Consult and let's safeguard your operations against any disaster.