7 Password Myths That Are Putting You at Risk

Updated on June 10, 2026

There's a certain kind of security advice that feels right even when it's completely wrong. It sounds authoritative, it gets repeated in corporate IT policies, it gets drilled into employees during onboarding — and then quietly, years later, the people who invented it admit it was a mistake all along.

Password security is full of this stuff. Myths that calcified into rules. Rules that calcified into mandates. And mandates that are, right now, actively making your accounts less secure while you follow them to the letter.

Let's go through the big ones.

Myth #1: You Should Change Your Password Every 90 Days

This one has probably caused more harm than any other piece of security advice in history. The forced rotation policy — change your password every quarter, no exceptions — was the gold standard of corporate IT for two decades.

The logic seemed sound: if your password gets stolen, regular rotation limits how long an attacker can use it. But here's what actually happens when you force people to change passwords on a schedule: they pick Summer2024!, then Fall2024!, then Winter2025!. Security researchers call these "password walks," and attackers know exactly how to exploit them.

In 2017, Bill Burr — the NIST engineer who originally authored the forced-rotation guidelines back in 2003 — publicly apologized. He told the Wall Street Journal it was "barking up the wrong tree." NIST's updated SP 800-63B guidelines now explicitly recommend against forced rotation unless there's evidence of compromise.

The better approach: use a strong, unique password and don't change it until you have reason to believe it's been exposed. Which brings us to the next myth.

Myth #2: A Password Is Safe Until You Change It

Here's the uncomfortable truth: your password might already be floating around on a dark web forum right now, and you'd have absolutely no idea.

Data breaches don't announce themselves. Companies often don't discover intrusions for months. When LinkedIn was breached in 2012, the full scope of 117 million accounts didn't surface publicly until 2016 — four years later. People who changed their passwords on schedule during that window still had their credentials exposed.

This is where breach-checking tools genuinely earn their keep. Troy Hunt's HaveIBeenPwned aggregates data from known breaches and lets you check whether your email address (or specific passwords, via a k-anonymity API that never sends your actual password) has appeared in any of them. The Pwned Passwords database alone contains over 850 million compromised passwords.

Run your email through it right now. Then do it again in six months. Breach notification, not arbitrary calendar rotation, is what should trigger a password change.

Myth #3: Complex Passwords Are Strong Passwords

P@$$w0rd! is not a strong password. It meets every traditional complexity requirement — uppercase, lowercase, number, special character — and it would be cracked within seconds by any modern password attack tool.

The reason is predictable substitution. Attackers' dictionaries include leet speak variants as standard. @ for a, 0 for o, 3 for e — these transformations are baked into hashcat rules that run automatically. Complexity requirements don't add entropy; they add the illusion of entropy while pushing people toward patterns that are already anticipated.

What actually matters is length and randomness. A passphrase like marble-sunset-typewriter-fog is longer, genuinely random, easier to remember, and vastly stronger than P@$$w0rd!. At 28 characters drawn from a large vocabulary, it has more entropy than a shorter "complex" string with symbols.

NIST's current guidelines agree: favor length over complexity. Minimum 8 characters is a floor, not a target. Aim for 15+ for anything that matters.

Myth #4: You Can Tell How Strong a Password Is By Looking at It

Password strength meters are everywhere, and most of them are wrong.

The classic meter that turns red-to-green as you add characters and symbols gives you a false sense of security. It's measuring surface-level features — length, character class variety — without accounting for predictability. Iloveyou1! might score "strong" on a naive meter. Actual cracking tools would get it in milliseconds because it's a top-pattern password with trivial modifications.

The better meters — like the one used by Dropbox, built on the zxcvbn library — check your password against actual attack patterns: common phrases, names, dates, keyboard walks (qwerty, 123456), and known breach data. They estimate crack time rather than assigning an arbitrary score.

If you want a real strength check, paste your password into a zxcvbn-based tool (or use 1Password's built-in strength meter, which uses similar logic). What you're looking for isn't a green bar — it's an estimated crack time of "centuries" or "centuries with a throttled attack."

Myth #5: Writing Passwords Down Is Always Dangerous

This myth has a grain of truth buried under a lot of exaggeration. Yes, a Post-it note on your monitor is bad. But a handwritten notebook of passwords locked in a drawer at home? For most people, in most threat models, that's actually fine.

Think about who your actual adversaries are. For the average person, it's not a nation-state attacker who has physical access to your home. It's automated credential stuffing attacks, phishing campaigns, and remote exploitation of reused passwords. A physical notebook doesn't help any of those attackers.

Bruce Schneier — one of the most respected security researchers alive — has been saying this for years: "Writing down your password and putting it in your wallet is actually reasonably safe." The real risk isn't physical theft of paper; it's digital theft of reused or weak passwords.

That said: a good password manager (Bitwarden, 1Password, KeePass) is still the better solution. Encrypted, synced, accessible across devices, with breach monitoring and strong password generation built in. But "never write anything down" as an absolute rule pushes people toward memorizable — which means guessable — passwords, and that's a much worse outcome.

Myth #6: A Unique Password for Every Site Is Overkill

It's not overkill. It's the single most important thing you can do for account security, and it takes zero extra mental effort once you're using a password manager.

Credential stuffing is the dominant attack vector for account takeovers right now. Attackers take a list of email/password pairs from one breach, automate login attempts across hundreds of services, and collect whatever accounts reuse those credentials. It's not sophisticated hacking — it's an automated script running through lists of passwords that you already use.

In 2023, 23andMe was hit by a credential stuffing attack that exposed data on nearly 7 million users. The company's own systems weren't directly breached. Attackers just tried credentials from other breaches and found that millions of users reused passwords across sites.

A unique, randomly generated password for every account means that even if one service gets breached, the damage is completely contained. Generate them with your password manager — you don't need to remember them, so there's no reason to make them human-friendly.

Myth #7: Two-Factor Authentication Makes Your Password Irrelevant

This one goes the other direction — it's people dismissing password hygiene because they have 2FA enabled. The reasoning: even if my password is weak, 2FA will catch any unauthorized access.

The problem is that 2FA isn't always on, isn't always strong, and isn't always properly implemented. SMS-based 2FA can be bypassed through SIM-swapping attacks. Real-time phishing kits like Evilginx2 can intercept both your password and your 2FA code simultaneously in a man-in-the-middle attack. And many services only require 2FA on new devices — an attacker who already has your session cookie bypasses it entirely.

2FA is genuinely valuable and you should use it everywhere it's offered. But it's a layer, not a replacement. A strong, unique password is still your first line of defense. 2FA is what catches the cases where that first line fails.

If you want robust 2FA, prefer hardware security keys (YubiKey, Google Titan) or TOTP apps (Authy, Aegis) over SMS. And keep your passwords strong regardless.

What Actually Works

Strip away the myths and the practical advice is surprisingly simple:

  • Use a password manager. Any of the major ones — Bitwarden is free and open-source; 1Password is polished; KeePass is local-only for the privacy-conscious.
  • Generate long, random passwords for every account. Let the manager remember them.
  • Check your email against breach databases periodically, and change passwords when you find a hit — not on a schedule.
  • Use TOTP-based 2FA (not SMS) on anything important.
  • Stop optimizing for passwords you can memorize. Memorability and security pull in opposite directions.

The real enemy of password security isn't lazy users — it's bad advice that got institutionalized before anyone tested whether it worked. Now we know better. The question is just whether the advice catches up to the evidence.

It's catching up slowly. In the meantime, you can get there first.