The Breach That Started With a Single Reused Password

In January 2024, a credential stuffing attack hit genetic testing giant 23andMe, ultimately exposing the personal data of approximately 6.9 million users. The root cause wasn't some exotic zero-day exploit. It was customers reusing passwords they'd already lost in previous breaches. Threat actors simply took leaked credentials from other sites, tried them on 23andMe, and walked right in.

That incident captures everything wrong with how most people — and most organizations — handle passwords. If you're searching for password security best practices, you're already ahead of the curve. But I need to be honest with you: most of the advice out there is outdated, impractical, or both. I've spent over two decades in cybersecurity, and the gap between what experts recommend and what people actually do remains dangerously wide.

This post gives you the specific, updated practices that stop credential theft in 2025 — for your personal accounts and your organization. No fluff, no recycled tips from 2015.

Why Passwords Still Matter in a Post-Passkey World

You've probably heard that passwords are dead. Passkeys, biometrics, and hardware tokens are supposedly replacing them. And eventually, they will — for some systems.

But right now, in mid-2025, the reality is that passwords remain the primary authentication method for the vast majority of business applications, legacy systems, and consumer accounts. The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in roughly 31% of all breaches over the past decade, making them consistently one of the top attack vectors. You can read the full findings at Verizon's DBIR page.

Until every system you touch supports passwordless authentication, password security best practices aren't optional. They're your first line of defense against credential theft, ransomware deployment, and full-scale data breaches.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Stolen or compromised credentials were the most common initial attack vector — and breaches originating from credential theft took an average of 292 days to identify and contain. That's almost ten months of a threat actor inside your network.

I've worked incident response cases where a single compromised service account password — unchanged for three years — gave attackers lateral movement across an entire Active Directory environment. By the time anyone noticed, the ransomware payload was already staged on 400 endpoints.

The financial damage is real. The reputational damage is worse. And it almost always traces back to a preventable password failure.

What Are Password Security Best Practices in 2025?

Let me cut through the noise. Here are the practices that actually reduce risk right now, based on current NIST guidelines, real-world breach patterns, and what I've seen work in production environments.

1. Use Long Passphrases, Not Complex Gibberish

NIST Special Publication 800-63B updated its digital identity guidelines to explicitly discourage forced complexity rules (requiring uppercase, lowercase, numbers, and symbols). The reason is simple: those rules produce passwords like P@ssw0rd! — technically complex, practically useless.

Instead, use passphrases of 16 characters or more. Something like correct-piano-battery-launch is dramatically harder to crack than Tr0ub4dor&3 and far easier to remember. Length beats complexity every time. You can review the full NIST guidance at pages.nist.gov/800-63-3/sp800-63b.html.

2. Never Reuse Passwords Across Sites

This is the single most violated rule in password security, and it's the one that enabled the 23andMe breach. When you reuse a password, you're betting that every service you've ever signed up for has perfect security. They don't.

Credential stuffing attacks are automated now. Threat actors buy billions of leaked username-password pairs on dark web marketplaces and run them against hundreds of services simultaneously. One reused password can compromise your email, your bank, your corporate VPN, and your cloud storage in a single afternoon.

3. Deploy a Password Manager Organization-Wide

You can't expect employees to maintain unique 16-character passphrases for 80+ accounts without help. A password manager is non-negotiable. It generates strong, unique credentials for every site and stores them in an encrypted vault.

For organizations, choose an enterprise-grade password manager that supports centralized administration, audit logging, and secure credential sharing. Mandate its use through policy. I've seen companies cut credential-related incidents by over 60% within six months of deploying one.

4. Enable Multi-Factor Authentication Everywhere

Multi-factor authentication (MFA) remains the single most effective control against account takeover. Even if a password is compromised, MFA adds a second barrier that blocks automated credential stuffing and most social engineering attacks.

But not all MFA is equal. SMS-based codes are vulnerable to SIM-swapping attacks. Push notifications can be bypassed through MFA fatigue attacks — where a threat actor sends dozens of push requests until the exhausted user approves one. Use phishing-resistant MFA methods: FIDO2 hardware keys or authenticator apps with number matching.

CISA has published detailed guidance on implementing phishing-resistant MFA at cisa.gov/MFA.

5. Stop Forcing Scheduled Password Rotations

Mandatory 90-day password changes are one of the most persistent bad practices in enterprise IT. NIST has been recommending against this since 2017. Forced rotations lead to predictable patterns — users just increment a number at the end or swap a single character.

Instead, require password changes only when there's evidence of compromise. Pair this with breach-monitoring tools that check your organization's credentials against known leaked databases in real time.

6. Screen Passwords Against Known Breached Lists

Every password your users create should be checked against databases of previously compromised credentials. If someone tries to set their password to one that appeared in a prior data breach, the system should reject it immediately.

Services like Have I Been Pwned's API make this straightforward to implement. Many modern identity platforms include this check natively. If yours doesn't, add it.

7. Lock Down Service Accounts and Shared Credentials

The most dangerous passwords in your environment aren't the ones your employees use daily. They're the service account credentials embedded in scripts, scheduled tasks, and application configurations — often unchanged for years, often with elevated privileges.

Audit every service account. Rotate those credentials on a defined schedule. Implement privileged access management (PAM) to vault and monitor them. I've seen organizations with domain admin credentials sitting in plaintext PowerShell scripts on shared drives. That's not a hypothetical — it's a Tuesday.

Password Security and Social Engineering: The Human Factor

Even perfect password hygiene can be undone by a well-crafted phishing email. Social engineering remains the top method threat actors use to steal credentials. They don't need to crack your password if they can trick you into typing it on a fake login page.

This is why security awareness training is inseparable from password security best practices. Your employees need to recognize phishing attempts, pretexting calls, and credential harvesting sites before they hand over the keys.

Phishing simulations are the most effective way to build this muscle. Regular, realistic phishing tests — followed by immediate coaching for anyone who clicks — reduce click rates dramatically over time. Our phishing awareness training for organizations is purpose-built for exactly this kind of ongoing reinforcement.

And it can't be a one-time event. Threat actors evolve their tactics constantly. Your training needs to keep pace. A comprehensive cybersecurity awareness training program covers not just phishing but pretexting, vishing, QR code attacks, and the emerging AI-powered social engineering techniques that are reshaping the threat landscape in 2025.

Building a Zero Trust Approach to Credentials

Password security doesn't exist in isolation. It's one layer of a zero trust architecture — the principle that no user, device, or connection should be automatically trusted.

In a zero trust model, strong passwords and MFA are just the starting point. You also need:

  • Conditional access policies that evaluate device health, location, and risk signals before granting access
  • Least-privilege access so compromised credentials limit blast radius
  • Continuous session monitoring that can detect anomalous behavior post-authentication
  • Network segmentation that prevents lateral movement even after initial compromise

When you assume breach — which is the core mindset of zero trust — you design systems that contain damage rather than relying solely on keeping attackers out.

What About Passkeys and Passwordless Authentication?

Passkeys based on the FIDO2/WebAuthn standard are gaining real traction in 2025. Apple, Google, and Microsoft all support them natively. For consumer-facing applications, passkeys eliminate the password entirely, replacing it with a cryptographic key pair tied to your device and verified by biometrics or a device PIN.

For organizations, I recommend a phased approach:

  • Phase 1: Enforce strong passwords + phishing-resistant MFA across all accounts
  • Phase 2: Deploy passkeys for supported SaaS applications and internal apps
  • Phase 3: Gradually retire password-based authentication as coverage expands

We're in the early stages of Phase 2 for most enterprises. Passkeys are the future, but passwords are the present. Ignoring current password security best practices because passkeys exist is like refusing to lock your doors because home security systems exist.

The Organizational Checklist You Can Implement This Week

Here's what I tell every CISO and IT director I work with. These are actions you can start today:

  • Audit your password policy — remove forced complexity rules and scheduled rotations. Require 16+ character minimums instead.
  • Deploy a password manager to all employees with mandatory enrollment.
  • Enable phishing-resistant MFA on every account that supports it, starting with email, VPN, and cloud admin consoles.
  • Screen all new passwords against known breached credential databases.
  • Inventory all service accounts and eliminate any with static, unmanaged credentials.
  • Launch phishing simulations through a structured phishing awareness training program — test monthly, coach immediately.
  • Train continuously — enroll your workforce in cybersecurity awareness training that covers credential theft, social engineering, and evolving threat tactics.
  • Monitor for leaked credentials using breach notification services and dark web monitoring tools.

The Credential Theft Problem Isn't Getting Smaller

The FBI's Internet Crime Complaint Center (IC3) reported over $12.5 billion in cybercrime losses in its 2023 annual report, with phishing and credential theft among the most frequently reported attack types. The scale of the problem is growing, not shrinking — and AI-generated phishing emails are making social engineering attacks harder to detect than ever.

Password security best practices aren't glamorous. They don't make headlines. But they're the foundation that every other security control depends on. Without them, your MFA rollout, your endpoint detection, and your zero trust architecture are all built on sand.

I've investigated breaches at organizations with million-dollar security budgets that fell because someone used Summer2024! as their domain admin password. Don't be that organization.

Start with the checklist above. Deploy training that actually changes behavior. And treat every credential in your environment like what it really is — a key to your kingdom that someone is actively trying to steal.