Password management – why ‘password’ shouldn’t be your password

Whether it’s weak passwords, insecure storage, or poor reset mechanisms, many organisations still fall short when it comes to password hygiene. Here, we break down the core risks and explain how to implement an effective password management strategy based on the latest guidance from the National Cyber Security Centre (NCSC), the National Institute of Standards and Technology (NIST), and ISO 27001. 

Passwords remain one of the most widely used methods of authenticating users and one of the most vulnerable. Despite advancements in biometric logins and passkeys, compromised passwords continue to be a leading cause of data breaches. Gitnux’s Password Hacking Statistics: Market Data Report 2025 states that 81% of breaches are due to weak or stolen passwords.  

In this blog, you’ll learn: 

• Risks associated with poor password management 
• 3 principles for effective password management
• How to improve password entropy
• How to store and renew passwords 
• Reacting to a breach 

This blog was updated on 7 July 2025 to reflect the latest guidance and most up-to-date information.  

Risks associated with poor password management

Weak or poorly managed passwords remain a common entry point for attackers. Inadequate password practices can jeopardise both individuals and organisations with potentially catastrophic results. The impact of a breach depends on factors like user access levels, the sensitivity of the data involved, and whether other safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the..., such as Multi-Factor Authentication (MFA), are in place.  

Password vulnerabilities can arise at every stage of the password management cycle: 

1. Creation
   Using short, common, or predictable passwords increases the risk of compromise on the storage medium, such as smartphones. Attackers can easily exploit these through dictionary attacks or credential stuffing.  

2. Authentication
   Poor implementation of authentication mechanisms, such as lack of encryption in transit or acceptance of truncated passwords, can expose credentials to interception, side-channel attacks, or observation during entry. 
   

3. Storage
   Storing passwords in plain text or using outdated hashing algorithms can lead to brute-force attacks if systems are breached. Physical security also matters; leaving passwords written on sticky notes is still a surprisingly common and dangerous practice. 

4. Renewal
   Insecure renewal processes, including lack of user identity verification, can make phishingA type of scam where attackers try to deceive people into revealing sensitive information or installing malicious malware. Phishing attacks are most commonly delivered by email. or credential spoofing easier for attackers.  

3 principles for effective password management

Under Article 32 of both the UK and EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation)., controllers and processors are required to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. In practice, this means organisations must adopt a risk-based approach when determining the security measures necessary to protect the personal dataInformation which relates to an identified or identifiable natural person. they processA series of actions or steps taken in order to achieve a particular end.. 

Password management is one of the simplest, most cost-effective ways to reduce the risk of unauthorised access. Modern guidance no longer relies on arbitrary complexity rules (e.g., special characters or forced resets) but instead focuses on three key principles: 

• Password length over complexity: The latest NIST guidelines recommend a minimum of 8 characters and support passwords up to 64 characters. Long, user-generated passphrases are more secure and easier to remember than short, complex strings. 

• User-friendly, practical policies: The NCSC’s password policy advocates for memorable, strong passwords using the ‘three random words’ method. This promotes security without encouraging risky behaviours like password reuse or writing passwords down. 

• Risk-based customisation: ISO 27001 (2022) Control 5.17 requires organisations to define password policies in line with their specific risk environment. For example, systems handling highly sensitive data may justify stronger authentication requirements, while others may adopt simpler controls paired with MFA. 

How to improve password entropy

Password entropy refers to how unpredictable or difficult to guess a password is. The higher the entropy, the more resistant the password is to brute force or dictionary attacks. 

Many users still default to predictable, easy-to-remember choices like abc123, password, or 111111, but these offer little to no protection. Even deviations like P@ssw0rd! are easily cracked by modern attack tools. 

Rather than focusing on complexity through symbols and substitutions, current best practice recommends focusing on length and unpredictability. Organisations may insist that individuals choose a series of unrelated words, such as BeachCatRunning, to improve password strength without compromising memorability. 

The level of password entropy you require from employees or users will depend on what other mechanisms are in place to prevent unauthorised access. The more layers you add to your authentication process, the less you need to rely solely on password complexity. For example:  

• Password-only systems should require longer, less guessable passphrases (ideally 12+ characters and using random words) to compensate for the lack of additional security layers 
• Passwords with rate limiting can rely on slightly less complex passwords, as measures like account lockouts after several failed attempts help deter brute-force attacks 
• Passwords plus additional information, such as security questions or account numbers, add a second layer of defence, but these methods must be implemented carefully to avoid introducing new risks 
• Passwords plus MFA provides the strongest protection, as even shorter 4-digit pins can be secure when combined with a second factor, such as an authenticator appAn application, downloaded by a user to a mobile or other device. or SMS code 

How to store and renew passwords 

Storage 

Passwords should never be stored in plain text or in locations where they can be easily accessed by unauthorised individuals. This includes batch files, automatic logon scripts, software macros, terminal function keys, unprotected computers, or even written down in notebooks or saved in unsecured digital files. 

Instead, passwords must be stored using strong cryptographic hashing algorithms, ideally with added ‘salt’ (random data), to prevent attackers from easily deciphering them if breached. This aligns with NIST and ISO 27001 standards, which require secure handling of authentication information and robust protection of stored credentials. 

The NCSC also advises the use of reputable password managers, such as 1Password, to help users generate, store, and manage strong, unique passwords securely. 

Renewal

When it comes to password renewal, previous guidance encouraged regular password changes. However, both NIST and the NCSC now discourage this approach unless there is a specific reason, such as suspected compromise. Forced expiry often leads users to adopt weaker passwords or make minimal alterations to existing ones – ultimately weakening security rather than strengthening it. 

Instead, organisations should focus on proactive breach detection, such as credential monitoring tools, and allow users to change their passwords independently when needed. Reset mechanisms should include identity verification and follow secure design principles, as outlined in ISO 27001 Control 5.17. 

Reacting to a breach

Even with strong password policies in place, breaches can still occur. If a data breach affects stored passwords or information linked to password recovery, organisations should act swiftly to minimise risk. 

Impacted individuals must be notified without undue delay, in line with GDPR breach notification requirements. Access to affected accounts should be blocked until users reset their credentials, and they should be prompted to choose a new password upon next login. 

It’s also essential to advise affected users to update their passwords on any other services where the same credentials may have been reused. While password reuse should be discouraged, it remains a common user behaviour and can amplify the impact of a breach if not addressed quickly.  

For more tips on effective breach responses, read our data breach management blog.

Key takeaways

Effective password management relies on a combination of technical and organisational measures working together to reduce risk and encourage secure user behaviour. 

On the technical side, most platforms, such as Microsoft, allow you to configure your own password policies, beyond their default settings. This includes enforcing minimum length requirements, setting parameters for character types (e.g., upper and lowercase letters, numbers, and symbols), requiring password changes upon first login, and locking accounts after multiple failed attempts. You should also make Multi-Factor Authentication (MFA) mandatory for users with elevated access rights, in line with NIST and ISO 27001 best practice. 

Equally important are the organisational controls you put in place. A clear password policy should guide users on how to: 

• Create strong, memorable passwords (e.g., using three random words) 
• Avoid reusing passwords across accounts 
• Never store passwords in plain text or write them down 
• Keep credentials private and never share them with others 
• Report suspected compromise without delay 

Staff should be regularly reminded of the risks associated with weak or compromised passwords and be trained in how to respond if a breach occurs. 

Together, these technical controls and user-focused policies form the foundation of a secure, modern approach to password management. While simple to implement, these steps can significantly reduce your organisation’s vulnerability to brute force attacks, credential stuffing, and other common threats.  

If you would like support with creating a password management policy or have another data protection query, please contact us.  

In case you missed it… 

• CCTV and GDPR: What organisations get wrong 
• How to write a clear and compliant Privacy Notice  
• GDPR DPO requirements: What qualifies as large-scale processing?