Why Password Requirements Don’t Work Anymore (And What to Do Instead)

Why Password Requirements Don't Work Anymore (And What to Do Instead)

For years, we've been told that the key to online security is a "strong" password-one that mixes uppercase letters, numbers, and special characters. Websites enforce increasingly complex rules, forcing us to create passwords that look more like encrypted codes than something we can remember.

But here's the uncomfortable truth: these requirements aren't working anymore. Despite all the complexity, data breaches are at an all-time high, and hackers are cracking passwords faster than ever. The problem isn't that users are lazy, it's that the entire system is flawed.

In this post, we'll explore why traditional password rules fail, how attackers exploit these weaknesses, and what smarter, more secure alternatives look like. If you're still relying on complexity alone, it's time to rethink your approach.

A Brief History of Passwords

The first recorded use of passwords dates back to 1961 with MIT's Compatible Time-Sharing System, which allowed multiple users to access a mainframe without seeing each other's files. Back then, a password was simply a shared secret between you and the machine-successful login meant proof of identity, forming the foundation of modern authentication. Security wasn't a concern because access was tightly controlled.

As computers became widely accessible and the World Wide Web emerged, cracks in this model appeared. Hackers no longer needed physical access to a machine, making attacks easier and more common. Most users had little understanding of password security, often choosing names or other easily guessed words. This eroded the core principle of authentication - secrecy - leading to widespread breaches and a clear need for change.

The First Fix: Password Expiry Policies

The first major attempt to improve password security came in 1989 with password expiry policies. The idea was simple: if passwords were regularly reset, they'd become harder to guess, and any stolen password would only grant temporary access. In practice, this backfired. Later research showed that frequent changes frustrated users and actually weakened security, people resorted to predictable patterns or minor variations to cope. As a result, the policy was largely abandoned.

The Rise (and Fall) of Password Requirements

The second major fix, introduced around 1989 and widely adopted by the early 2000s, was password complexity requirements. This idea stemmed from a 1979 paper, Password Security: A Case History by Ken Thompson and Robert Morris, which warned about password cracking and recommended longer, more complex passwords. As attacks became more common, systems began enforcing these rules. Simple passwords like "1234" or "johnp" were banned as minimum lengths rose to 5-6 characters, with mixed case suggested but not mandatory. When that proved ineffective, the minimum increased to 6-8 characters, and by the late 1990s, standards required at least eight characters with uppercase, lowercase, numbers, and symbols.

By 2007, research showed these measures weren't enough, prompting a jump to 10-12 character minimums in 2010-again with little real improvement. In 2017, NIST shifted its guidance toward passphrases and relaxed strict complexity rules, acknowledging that decades of policy changes had only delivered marginal gains. The cycle of tweaks and failures highlights a troubling truth: complexity alone doesn't guarantee security.

Why Password Requirements Don't Work Anymore

Simply put, they solve the wrong problem. Password rules were designed to stop people from using obvious choices like "password" or "123456." While this blocks basic wordlist attacks, those are rarely used today because most users already avoid such weak passwords.

Modern attackers rely on credential stuffing-using stolen credentials from one breach to access accounts on other sites. If you reuse passwords, it doesn't matter whether yours is "Password1948" or "dune9$P3nguin@Integral"- both are equally vulnerable once exposed.

Password requirements only create diversity between users, not between a single user's accounts. When new rules appear, they force people to change passwords temporarily, but most just reuse the new one everywhere. This is why requirements lose effectiveness quickly and policies keep shifting. Ultimately, complexity rules don't address the real issue: password reuse. That's why technologies like Multi Factor Authentication (MFA) exist, to patch a fundamentally weak system.

Password Blocklists: A Smarter Alternative

Password blocklists like in MyID PSM are databases of previously breached passwords. When you create or change a password, it's checked against these lists to ensure it hasn't been compromised before. This approach is gaining traction because even small blocklists outperform traditional password requirements by effectively stopping common wordlist attacks. Larger blocklists go further, preventing users from reusing their own leaked passwords.

The result? A solution that's more secure, easier to remember, and far more user-friendly than complexity rules. Standards bodies like NIST (800-63B) and the UK Ministry of Justice are now endorsing blocklists over outdated password requirements, a clear sign of where best practice is headed.

What Are the Alternatives to Passwords?

Attackers are winning the arms race-and for good reason. Human-generated passwords are inherently weak. No matter how many rules we impose, they'll never be truly secure. The problem isn't just complexity; it's the human tendency to reuse, simplify, and forget.

So, what's next? Thankfully, there are better options:

1. Passphrases Instead of Passwords
   Longer, memorable phrases (e.g., "PurpleCoffeeRunsFast") are far harder to crack than short, complex strings. They're easier for users to remember and more resistant to brute-force attacks.
2. Password Managers
   These tools generate and store unique, strong passwords for every account, eliminating reuse and reducing human error. They also integrate with browsers and apps for convenience.
3. Multi-Factor Authentication (MFA)
   Adding a second layer like a one-time code, biometric scan, or hardware token dramatically improves security. Even if a password is stolen, MFA makes unauthorised access far harder.
4. Single Sign-On (SSO)
   For businesses, SSO centralises authentication, reducing password fatigue and improving security across multiple systems.

The future of authentication isn't about making passwords harder-it's about moving beyond them entirely.

If your organisation is ready to move beyond outdated password rules, our MyID product suite offers enterprise-grade solutions designed for both security and simplicity.

• MyID MFA delivers fast, secure login and password replacement, providing a frictionless user experience while strengthening protection against modern threats.
• MyID CMS enables you to issue and manage high-assurance credentials at scale-securely, efficiently, and with full compliance with best practice security guidelines such as NIST, ISO 27001 and NIS2.

With MyID, you can take the next step toward passwordless authentication and future-proof your enterprise security.

Conclusion: The End of Password Rules as We Know Them

Password requirements were once seen as the cornerstone of online security, but today, they're little more than a relic of a broken system. Complexity rules don't stop credential stuffing, they frustrate users, and they fail to address the real problem: password reuse.

The good news? We have better solutions. Blocklists, passphrases, password managers, MFA, and passwordless authentication aren't just buzzwords, they're practical steps toward a safer digital future. The shift away from outdated requirements is already happening, with standards bodies like NIST leading the charge.

If you're still relying on complexity alone, it's time to rethink your strategy. Start by adopting MFA, using a password manager, and exploring passwordless options. Security isn't about making life harder for users, it's about making it harder for attackers. And that means leaving old password rules behind.

Get in touch today to arrange a demo.