Resolve to Stop Following Bad Password Advice

Cybersecurity can be confusing and frustrating, especially when you receive bad advice from an expert. The most common bad advice shared by Cybersecurity professionals is around having complex passwords. To find out how to debunk password myths and understand simple practical guidance then this article is for you.


I often tell people cyber security is like weight loss, there is no end to people telling you what to do yet most folks can’t consistently do the basics. In addition there is no end to the confusing cybersecurity information. One particularly bad piece of advice concerns maintaining passwords, which is for the most the first and best line of defense for cybersecurity.  Former National Institute of Standards and Technology manager Bill Burr admitted guidelines he authored on strong passwords in 2003 were misguided. He now regrets those recommendations even though the guidelines ultimately became the standard for password security. The reason is these password recommendations are hard for people to remember but easy for computers to compromise.


Although the guidelines were revised this summer, many companies still reference these outdated recommendations. I recently received this from American Express, “It’s a good idea to frequently change your password with a combination of letters, numbers, and symbols.”  Unfortunately, when a person changes his or her password frequently they are less likely to have a unique and long password. If you’re like most people you have a set of reusable passwords that you rotate through and sometimes add an incremental number in order to get by typical security requirements such as new-password-can’t-be-the-same-as-the-last-X-passwords.


My top 3 recommendations for password security:

  1. Absolutely have a unique password for every website and application you use. If this means having a password manager or password naming convention then do whatever it takes to have different passwords. Reason – Once one password is compromised, most likely through phishing, criminals can use the same username/password combination to try every popular social media, email and financial site to gain access to your information.
  2. Longer and simpler is better than short and complex. Reason – To this day many servers keep passwords in a local file that is encrypted, but computers can match these very quickly leveraging a master list called a ‘rainbow table’. So even if you don’t give away your password criminals can often interpret what your password is through this trick.
  3. Don’t rely just on passwords, instead leverage two factor authentication whenever possible. The most common two factor is to have an email or text message send a code to you when you log into a website for the first time from a new computer. Reason – This prevents all attempts at compromising your account if someone knows your password, because you still control your phone.


As a technology professional, I leverage a software program from to remember my unique and extremely long passwords.  This tool can be a learning curve for the first few days as you start to add all of your prior passwords to a tool like this and change your most critical websites. However, after a few days you immediately gain not only the benefit of security, but time savings as all these passwords are now remembered for you.


Have questions or want to know more? Contact Shaun Hunt by leaving a comment below!

About Shaun Hunt


Email Address:

Shaun Hunt manages the Technology group at McKenney’s, covering everything from mobile devices to cloud computing. He holds a Master of Organizational Leadership from Southern NH University. Shaun launched his technology career in consulting at Accenture followed by Deloitte Consulting, before holding senior technology positions in financial services and non-profits. Shaun is passionate about creating efficient and effective systems that enable clear business value safely and securely.

Leave a Reply

Your email address will not be published. Required fields are marked *