Skip to content
Passwords & MFA
Foundation·5 min·DE · EN

Strong passwords & password managers

Long passphrases beat complex strings. Unique per account. Stored in a password manager. That fixes 99 % of all password problems.

What changed about passwords

The old rules - "at least 8 characters, one special symbol, change every 90 days" - have been shown to backfire. They produce patterns like Summer2024! and, 90 days later, Summer2025!. Attacker tools know every one of those patterns.

The current guidance (NIST, BSI, NCSC) is clear:

  • Length beats complexity. Aim for 16+ characters.
  • Forced rotation is out. Change when there's a reason - otherwise leave it alone.
  • Uniqueness is non-negotiable. Every account gets its own password.
01

Long is strong

A phrase of 4-5 random words (e.g. 'apple storm coffee table') is more secure than 'P@ssw0rd!23' and easier to remember.

02

Unique per account

When a service gets compromised, attackers test the password against a hundred other services automatically. Reuse = domino effect.

03

Password manager, not memory

You memorize exactly one good master password. The rest gets generated and stored automatically.

Why reuse is the main problem

When an e-commerce shop gets hacked in 2025, the passwords end up on the dark web. Within hours, automated tools test those combinations against Gmail, Microsoft 365, online banking, LinkedIn. This is called credential stuffing - and it's the most common attack vector today.

The fix is mundane: one password per service, every one different. Practically impossible without a manager.

The password manager - what and why

A password manager (Bitwarden, 1Password, KeePass, the one built into Apple/Google) is an encrypted database protected by one master password. The benefits:

  • Generates random, long passwords automatically.
  • Fills them in at login - no typing, no forgetting.
  • Syncs across devices.
  • Warns about reuse or about leaked passwords.
  • Anti-phishing built in: only fills on the real domain.

The anti-phishing argument is underrated: if your manager doesn't autofill, the domain is usually wrong.

Choosing a master password

The one password you actually have to remember. Recommendation:

  • 4-6 random words, separated by spaces or hyphens
  • No names, birthdays, or band names that appear on your profile
  • Method: three random words from a book (the "diceware" approach)

Write it once on paper, store it locked at home - until it sticks.

Real case - credential stuffing

In 2023, a hotel booking platform leaks 23 million passwords. Within 72 hours, 1.4 million Microsoft 365 accounts using the same password get attacked. Roughly 40,000 logins succeed - not a Microsoft flaw, but reused passwords on the users' side.

A unique password per account would have protected 100 % of those accounts.

The two reflexes

  1. New account: Open the password manager → "Generate" → 20+ characters → save. Memorize nothing.
  2. Compromised account: Change the password, verify MFA, fix the same reuse on other services.

Bonus: what doesn't help

  • ❌ Forced periodic rotation (drives patterns)
  • ❌ "Secret question" with your pet's name (it's on Instagram)
  • ❌ Password in an Excel file on the desktop
  • ❌ "Summer2024!" - all variants are in attacker dictionaries

What helps: long, unique, in the manager. Plus MFA - that's the next training.

Training catalogue

See more modules

12 modules covering phishing, MFA, compliance, and remote work.

View catalogue →

Member area

With quiz and certificate

Track progress, complete the quiz, get your PDF certificate.

Sign in →

Ready to take awareness seriously?

30-minute demo. We'll show you a real phishing campaign, a quarterly report, and the NIS2 mapping - for your industry.

Book a demoContact us