10 Password Security Myths Still Circulating in 2025
Mandatory rotation. Complexity over length. Security questions. These myths persist despite the evidence. Here is what the research actually shows.
Why bad password advice persists
Most organisations are still running password policies written in the early 2000s, when the threat model was different and the research was thinner. Those policies spread through corporate IT as "best practice" and calcified into compliance frameworks. Changing them requires challenging received wisdom — something organisations are reluctant to do without authoritative cover.
The cover now exists: NIST 800-63B, published in 2017 and updated since, explicitly debunks most of these myths. Here are the 10 most persistent ones.
Myth 1: Change your password every 90 days
Reality: Mandatory rotation causes users to make minimal, predictable changes (Password1 → Password2). NIST explicitly recommends against mandatory periodic rotation, recommending rotation only when there's evidence of compromise.
Myth 2: Symbols and uppercase make passwords stronger
Reality: Complexity rules produce predictable patterns (P@ssw0rd1!) that are in every cracking dictionary. Length is a more reliable security indicator than complexity. See our length vs complexity analysis.
Myth 3: Security questions add security
Reality: Security question answers are guessable (mother's maiden name, high school) or appear in data breaches and social media. NIST 800-63B explicitly prohibits knowledge-based authentication (security questions) as a verification method.
Myth 4: Longer passwords are harder to remember
Reality: A 5-word passphrase is both longer (25+ characters) and more memorable than a complex 10-character string. The passphrase mode in PassGeni is specifically designed for this tradeoff.
Myth 5: Password reuse only matters for important accounts
Reality: Attackers try breached credentials against every valuable service automatically. A reused password on a gaming site becomes a reused password on your banking app in the hands of a credential stuffer.
Myth 6: A site is safe if it shows a green padlock
Reality: HTTPS encrypts data in transit. It says nothing about how the site stores your password, whether it's a phishing site, or whether it's been breached.
Myth 7: Adding a number and symbol to a dictionary word makes it secure
Reality: Cracking tools apply these transforms automatically. dragon → Dr@g0n! is a trivial rule set for hashcat.
Myth 8: You need to memorise your passwords
Reality: You need to memorise one good password (your password manager master password) and nothing else. Requiring memorisation of all passwords produces weak, reused passwords.
Myth 9: Password managers are a single point of failure
Reality: A password manager secured with a strong master password and MFA is dramatically more secure than the alternative — weak, reused passwords you can remember. The "single point of failure" concern is real but manageable; the current alternative is worse.
Myth 10: Breach checking requires giving away your password
Reality: PassGeni's breach checker uses k-anonymity — only 5 characters of your password's SHA-1 hash go to the Have I Been Pwned API. Your actual password never leaves your browser.