Notifications
Clear all
Topic starter
11/06/2026 11:23 pm
TL;DR: Password reuse, weak passwords, and phishing still drive compromise, with Verizon’s 2025 DBIR citing compromised credentials as a leading breach cause and Cloudflare reporting that nearly half of successful logins involve compromised credentials. The old model of frequent password changes has given way to longer unique passwords, password managers, and MFA as the practical baseline.
NHIMG editorial — based on content published by Orca Security: password hygiene guidance for safer accounts
By the numbers:
- NIST recommends creating a password at least 15 characters long.
Questions worth separating out
Q: How should organisations improve password security without making users miserable?
A: Focus on longer unique passwords, password managers, and MFA rather than constant complexity changes.
Q: Why does password reuse remain so dangerous in 2026?
A: Because one exposed password can unlock multiple accounts through credential stuffing.
Q: What do security teams get wrong about password resets?
A: They often treat scheduled resets as a substitute for stronger authentication.
Practitioner guidance
- Remove forced rotation schedules where they add friction without reducing risk Replace periodic password change policies with breached-password blocking, minimum length rules, and MFA enforcement for all privileged and high-value accounts.
- Standardise password manager use across the workforce Provide an approved password manager, require it for new account creation, and use policy to discourage manual reuse across business and personal services.
- Prioritise phishing-resistant MFA for critical access paths Use stronger factors on administrative, finance, email, and remote access accounts first, then expand coverage to general user populations.
What's in the full article
Orca Security's full blog post covers the practical password guidance this post intentionally leaves at the strategy level:
- Specific user-facing password habits that reduce compromise without increasing helpdesk burden
- The article's plain-language explanation of why long passwords outperform short complex ones
- The recommended balance between MFA, password managers, and phishing awareness for everyday users
👉 Read Orca Security's full password hygiene guidance for everyday account protection →
Password hygiene in 2026: are your controls keeping up?
Explore further
12/06/2026 8:01 am
Length and uniqueness are now the real password baseline. The article reflects a broader identity shift away from policy-driven password complexity and toward controls that survive real attacker behaviour. Length reduces guessability, and uniqueness prevents one compromise from becoming a fleet-wide problem. For IAM programmes, the lesson is that password policy should be measured by reuse resistance and breach resilience, not by how many symbol rules it imposes.
A few things that frame the scale:
- 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
- 23.7% of organisations share secrets through insecure methods such as email or messaging applications.
A question worth separating out:
Q: How can teams tell whether password controls are actually working?
A: Look for fewer reused credentials, lower success rates on credential stuffing attempts, and broader MFA coverage on high-risk accounts. If users still share passwords, bypass the password manager, or create predictable variants, the control model is not functioning as intended.
👉 Read our full editorial: Password hygiene still matters, but MFA and uniqueness matter more
