7 Password Myths That Are Putting You at Risk

Updated on May 19, 2026

Your IT department means well. Your bank means well. That sticky note on your monitor reminding you to change your password every 90 days? Whoever put that policy in place absolutely meant well. But good intentions don't make bad advice safe — and a surprising amount of the password guidance most of us grew up with has been quietly proven wrong by researchers and formally repudiated by the very standards body that helped create it.

NIST (the National Institute of Standards and Technology) published updated digital identity guidelines — SP 800-63B — that reversed decades of conventional wisdom. The security community has largely moved on. Your company's IT policy probably hasn't. Here's what you've been told, why it's wrong, and what actually works.

1. "You Must Change Your Password Every 90 Days"

This one has caused more harm than almost any other piece of security advice. The logic seemed sound: rotate passwords frequently and attackers have a smaller window to exploit stolen credentials. In practice, humans don't behave like that model predicted.

When forced to change passwords on a rigid schedule, people make tiny, predictable changes. Fluffy2024 becomes Fluffy2025. Summer1! becomes Fall1!. Researchers at UNC Chapel Hill studied this pattern and found that once they had one password from a forced-rotation environment, they could crack about 40% of the subsequent passwords within seconds.

NIST's current guidance is clear: organizations should not require periodic password changes unless there's evidence of a specific compromise. Change your password when it's been breached. Not because a calendar says so.

2. "A Complex Password with Symbols Is Always Stronger"

We've all created P@ssw0rd! and felt clever about it. The requirement to include uppercase, lowercase, numbers, and at least one symbol has been standard policy for so long that it feels like a natural law. It isn't.

The problem is that humans approach complexity requirements predictably. Capital letter at the start. Number or two at the end. Exclamation point as punctuation. These patterns are so universal that password crackers are explicitly trained to try them. A dictionary attack that accounts for leet-speak substitutions (@ for a, 0 for o, 3 for e) cracks "complex" passwords far faster than you'd expect.

NIST now discourages mandatory complexity rules in favor of length. A 16-character passphrase made of four random words — correct horse battery staple, if you've seen the famous xkcd — has more entropy than most "complex" 8-character passwords and is infinitely more memorable. Length beats symbol soup every time.

3. "Never Write Down Your Password"

The intent here was good in 1990, when the biggest threat was a coworker snooping at your desk. The threat landscape looks radically different now. Remote attackers in other countries vastly outnumber the nosy colleague who might rummage through your drawer.

NIST explicitly softened its stance on written passwords. A password written on paper and stored in a locked drawer at home is generally more secure than a weak password you can memorize, or — far worse — the same password reused across thirty sites. The Post-it on your monitor is still a bad idea. A notebook in your home safe is not.

Better still: use a password manager. Bitwarden, 1Password, KeePassXC. These store your passwords encrypted behind one strong master passphrase, auto-fill them, and generate truly random credentials you'd never invent yourself. "Never write it down" was advice for an era before this technology existed.

4. "Use a Different Character Type in Every Section of Your Password"

You've seen it: the site that demands at least one uppercase letter, one lowercase letter, one number, and one special character — and then rejects your perfectly random 20-character string because it doesn't meet some arbitrary positional requirement. This is security theater with a user experience cost.

The cryptographic strength of a password comes from its unpredictability — its entropy. Arbitrary structural requirements actually reduce entropy by constraining the password space in ways that attackers can model. A truly random password generated by a password manager doesn't need rules. The randomness is the protection.

NIST's updated guidelines recommend accepting all printable ASCII characters and even Unicode, while dropping specific composition rules. If your password manager generates it, trust it. If a website rejects a 30-character random string for "not meeting complexity requirements," that website has a bad security team.

5. "Two-Factor Authentication via SMS is Just as Good as an Authenticator App"

Adding a second factor is genuinely excellent security practice — this myth isn't about whether to use 2FA, but which kind. SMS-based 2FA is significantly weaker than app-based TOTP (Time-based One-Time Passwords), and the gap matters.

SIM-swapping attacks — where a criminal convinces a mobile carrier to transfer your number to their device — are not rare theoretical vulnerabilities. They've been used to drain crypto wallets, hijack celebrities' accounts, and compromise executives at major companies. Once an attacker controls your phone number, every SMS code goes to them.

TOTP apps like Google Authenticator, Aegis (for Android), or Raivo (for iOS) generate codes locally on your device. There's no network transmission to intercept. They're not bulletproof — malware on your device can still steal them — but they eliminate the entire SIM-swap attack surface. NIST deprecated SMS-based authentication in earlier drafts of its guidelines (softening the language later but still flagging it as a risk). If a service offers both SMS and an authenticator app, always choose the app.

And if a service offers hardware security keys (like YubiKey or Google Titan), that's even better — phishing-resistant by design.

6. "A Longer Password Hint Helps You Remember Without Compromising Security"

Password hints were invented to solve a real problem — people forget passwords. But hints create a fascinating attack surface that often reduces security to zero. A hint that says "my dog's name + birth year" might as well be the password itself for anyone who has spent thirty seconds looking at your social media.

Even well-intentioned hints like "first car" or "mother's maiden name" overlap almost perfectly with the security questions other sites use for account recovery — information that may already be in data breach databases or scraped from public records. NIST guidance discourages knowledge-based authentication (secret questions, hints) for this exact reason.

The real solution is a password manager for credentials you can't memorize, and a strong passphrase for the one you must — your master password. If you need a hint for the master passphrase, keep it somewhere physically secure and make it meaningless to anyone but you.

7. "If Your Password Hasn't Been in a Breach, You Don't Need to Change It"

This one's trickier — it's closer to true than the others, but it contains a dangerous assumption: that you'd actually know if your password had been breached.

The average time between a data breach and its public disclosure was about 15 months in recent reporting. Credentials stolen in 2023 might not appear in public breach databases until late 2024. During that window, attackers are quietly using them — or selling them to others who will.

Tools like Have I Been Pwned (haveibeenpwned.com) and the free API that password managers increasingly integrate are excellent first-line checks. But they only tell you about disclosed breaches. The undisclosed ones are the real danger.

This isn't an argument for going back to mandatory 90-day rotations. It's an argument for: (a) using unique passwords everywhere so a breach of one site doesn't cascade, (b) monitoring breach notification services, and (c) actually changing credentials when there's evidence of compromise rather than trusting silence as safety.

What Modern Good Practice Actually Looks Like

Strip away the myths and a cleaner picture emerges:

  • Length first, always. 16 characters minimum; 20+ for anything important. Random is better than memorable.
  • Unique passwords per site. Non-negotiable. One breach shouldn't hand over everything.
  • Password manager. Bitwarden is free and excellent. 1Password is worth the subscription cost. KeePassXC if you want local-only.
  • App-based 2FA minimum. Hardware key where it's supported. SMS only if it's genuinely the only option.
  • Monitor breach databases. Set up alerts on Have I Been Pwned for your email addresses.
  • Change passwords when compromised, not on schedule. Real threat triggers, not calendar anxiety.

The security advice that served the 1990s corporate LAN wasn't wrong for its time. But we're not living in that threat environment anymore. Credential stuffing attacks, massive breach databases, automated phishing, SIM-swapping — these are the actual threats. The defenses that work against them look different from what most of us were taught. The good news is that modern practice is, in most ways, actually easier on the user — fewer arbitrary rules, more tools that do the heavy lifting for you.

Update your habits. Your accounts will thank you.