The 23andMe Breach Started With Recycled Passwords

In October 2023, genetic testing company 23andMe confirmed that attackers accessed roughly 6.9 million user profiles. The method wasn't some exotic zero-day exploit. It was credential stuffing — threat actors took username and password combinations leaked from other breaches and simply tried them on 23andMe accounts. Users who recycled passwords across sites handed attackers the keys.

That breach is a textbook case for why password hygiene tips aren't just IT advice — they're survival skills. If you reuse passwords, you're betting that every single service you've ever signed up for has perfect security. Spoiler: they don't.

This post breaks down the password hygiene practices that actually matter in 2024, grounded in real breach data, NIST guidelines, and what I've seen work in organizations of all sizes. If you're responsible for your own accounts or your entire company's security posture, these are the specific steps that reduce your risk.

Why Most Password Hygiene Tips Fail in Practice

Here's what actually happens: a company rolls out a password policy that requires uppercase, lowercase, numbers, special characters, and a 90-day rotation. Employees respond predictably. They pick "Summer2024!" and then change it to "Fall2024!" three months later. They write it on a sticky note. They reuse it across a dozen services.

I've seen this pattern in every organization I've worked with. The old-school approach to password complexity creates the illusion of security while actively encouraging the behaviors that lead to credential theft.

NIST recognized this problem years ago. Their Digital Identity Guidelines (SP 800-63B) explicitly recommend against mandatory periodic password changes and arbitrary complexity rules. Instead, they push for longer passphrases, screening against known breached passwords, and — critically — multi-factor authentication.

Password Hygiene Tips That Actually Work in 2024

1. Length Beats Complexity Every Time

A 16-character passphrase like "correct-horse-battery-staple" is exponentially harder to crack than "P@ssw0rd!" — and infinitely easier to remember. The math is straightforward: each additional character multiplies the keyspace. A brute-force attack against a 16-character password is orders of magnitude more expensive than one against an 8-character password, regardless of how many special characters you sprinkle in.

Set your minimum at 12 characters. Encourage 16 or more. Let people use spaces and full sentences. Drop the requirement for uppercase-lowercase-number-symbol combinations — NIST says so, and the data backs it up.

2. Screen Every Password Against Breach Databases

According to the 2023 Verizon Data Breach Investigations Report, stolen credentials were involved in roughly 49% of all breaches. Almost half. That number has stayed stubbornly high for years. The reason is simple: people reuse passwords, those passwords get leaked, and attackers buy or download the lists.

Your organization should check every new password against known compromised password databases. Services like HaveIBeenPwned's API make this possible at scale. If a user picks a password that's already appeared in a data breach, reject it immediately and explain why.

3. Use a Password Manager — And Actually Enforce It

I've talked to countless employees who tell me they "have a system" for their passwords. That system usually involves a base word plus a site-specific modifier. Attackers know these patterns. Once they crack one password, they can guess the rest.

A password manager generates and stores unique, random passwords for every account. The user only needs to remember one strong master passphrase. This single change eliminates password reuse — the number one cause of credential stuffing attacks like the 23andMe incident.

For organizations, deploy an enterprise password manager. Make it part of onboarding. Don't just recommend it — make it the default workflow.

4. Multi-Factor Authentication Is Non-Negotiable

Even the best password hygiene tips can't protect you from every attack. Phishing simulations consistently show that a percentage of employees will enter credentials on a fake login page. When that happens, multi-factor authentication (MFA) is the only thing standing between a stolen password and a full breach.

The FBI's Internet Crime Complaint Center (IC3) has repeatedly highlighted business email compromise as one of the costliest cybercrime categories — $2.7 billion in losses reported in 2022 alone. Most of those attacks start with compromised email credentials. MFA stops the majority of them cold.

Push for phishing-resistant MFA — hardware keys or app-based authenticators. SMS-based MFA is better than nothing, but SIM swapping attacks have made it the weakest option.

5. Kill Mandatory Password Rotation (Unless There's a Reason)

Mandatory 90-day password changes are still baked into many compliance frameworks and organizational policies. But NIST's guidance is clear: don't force password changes unless there's evidence of compromise.

Forced rotation leads to weaker passwords. People make the smallest possible change to satisfy the policy. They increment numbers. They swap seasons. Attackers model these patterns and exploit them.

Change passwords immediately when a breach is suspected. Otherwise, let a strong, unique password stand. Pair it with MFA and breach monitoring.

6. Stop Using Security Questions as a Backup

What's your mother's maiden name? What high school did you attend? This information is publicly available on social media, genealogy sites, and data broker databases. Security questions are social engineering goldmines.

If a service forces you to set security questions, treat the answers as additional passwords — random strings stored in your password manager. "What city were you born in?" Answer: "kR7$mPz9xQ." No attacker is guessing that.

What Are the Most Important Password Hygiene Tips?

The most important password hygiene tips for 2024 are: use a unique password of at least 16 characters for every account, store all passwords in a dedicated password manager, enable multi-factor authentication on every service that supports it, and screen passwords against known breach databases. Stop forcing periodic password changes unless there's evidence of a compromise. These practices align with NIST SP 800-63B guidelines and directly address the credential theft methods used in the majority of data breaches.

The Organizational Side: Training Changes Behavior

Technical controls matter. But they only work when people understand why they exist and how to use them. I've watched organizations deploy password managers and MFA and still get breached — because nobody trained employees to recognize phishing attempts that bypass those controls.

Security awareness training is the connective tissue between policy and practice. Your employees need to understand what credential stuffing is, why password reuse is dangerous, and how threat actors actually operate. Abstract warnings don't change behavior. Specific, scenario-based training does.

Our cybersecurity awareness training program covers exactly these scenarios — real-world attacks, practical defenses, and the reasoning behind modern password policies. It's built for organizations that want measurable behavior change, not checkbox compliance.

Phishing: Where Good Passwords Go to Die

Even a 30-character unique password is worthless if your employee types it into a fake Microsoft 365 login page. Phishing remains the primary delivery mechanism for credential theft. The 2023 Verizon DBIR found that phishing was involved in 16% of all breaches — and that number climbs significantly when you include phishing as the initial access vector in multi-stage attacks.

This is why phishing simulations and targeted training are essential complements to password hygiene. Your team needs to practice spotting malicious emails before a real threat actor sends one. Our phishing awareness training for organizations runs realistic simulations and teaches employees to identify social engineering tactics in real time.

Zero Trust Means Never Trusting the Password Alone

The zero trust security model assumes that no user, device, or network connection is inherently trustworthy. Passwords fit into this framework as one factor among many — never the sole gatekeeper.

In a zero trust architecture, authentication is continuous. A valid password gets you to the MFA prompt. A valid MFA response gets you conditional access based on your device posture, location, and behavioral patterns. If something looks off, access is denied or stepped up to additional verification.

This layered approach means that even if an attacker steals a password, they face multiple additional barriers. It's the most resilient model available, and it starts with solid password hygiene as the foundation.

Practical Zero Trust Steps for Password Security

  • Require MFA for every application, not just email and VPN.
  • Implement conditional access policies that evaluate device health and location.
  • Monitor for impossible travel — logins from two distant locations within minutes.
  • Integrate your identity provider with breach monitoring services for real-time credential exposure alerts.
  • Segment access so that a single compromised account can't reach critical systems.

The Ransomware Connection You Can't Ignore

Ransomware operators don't always need sophisticated exploits. Groups like ALPHV/BlackCat and LockBit have been documented using stolen credentials as initial access vectors. They buy credentials on dark web marketplaces, use them to log into VPNs or remote desktop services, and then deploy ransomware across the network.

CISA's StopRansomware initiative consistently highlights credential hygiene as a foundational defense. Their advisories repeatedly call out the same basics: unique passwords, MFA, monitoring for credential exposure.

If your organization's VPN is protected by a reused password without MFA, you're one dark web listing away from a ransomware incident. That's not hypothetical — it's the documented attack path in hundreds of incidents.

Building a Password Hygiene Program That Sticks

Sending an annual email about password best practices doesn't work. I've audited enough organizations to know that compliance-driven approaches produce compliance-driven results — people do the minimum to pass and revert to old habits immediately.

Here's what actually drives lasting change:

Make the Secure Path the Easy Path

Deploy a password manager and pre-configure it for employees. Integrate single sign-on (SSO) so users authenticate once with a strong credential and MFA, then access everything seamlessly. The fewer passwords people need to manage manually, the less likely they are to cut corners.

Show Them the Breach Data

When I show employees the actual credential lists available on dark web forums — their company domain, their email format, sometimes their exact passwords — behavior changes fast. Abstract threats don't motivate. Concrete evidence does.

Measure and Iterate

Track MFA enrollment rates. Monitor password manager adoption. Run phishing simulations quarterly and track click rates over time. If a department consistently fails simulations, they need targeted intervention, not another all-hands email.

Reward Good Behavior

Recognize teams with high MFA adoption. Celebrate departments that report suspicious emails. Security culture isn't built through fear — it's built through consistent reinforcement that secure behavior is valued and expected.

The $4.45M Reason to Start Now

IBM's 2023 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.45 million. Breaches involving stolen or compromised credentials took an average of 328 days to identify and contain — the longest of any attack vector.

Every day your organization operates without strong password hygiene, MFA enforcement, and security awareness training is a day you're carrying avoidable risk. The tools exist. The guidance is clear. The only missing piece is execution.

Start with the fundamentals: unique passwords, a password manager, MFA everywhere, and ongoing training that prepares your people for real-world threats. These aren't theoretical recommendations — they're the specific, proven steps that reduce your exposure to the attacks actually hitting organizations right now in 2024.