Practical Privacy, Security, and Speech Guide
A field guide to modern privacy, security, and freedom of speech.

2.1 Passwords done properly

Padlock on a warm-toned surface
Identity, passwords, and account security.

Escaping complexity theatre

Passwords are still the most common way people sign in. They are also the most misunderstood. Many organisations still force rules that look tough but do little to reduce real risk. This is often called “complexity theatre”: a performance of security that feels strict yet makes everyday use worse and, in practice, easier to break.

Understanding what actually makes a password strong is more useful than memorising a set of arbitrary rules. It also makes it easier to choose practices that fit real life, such as sharing a device with family, using a work laptop on the train, or keeping accounts for utilities, banking, and social media.

Why traditional complexity rules failed

Traditional rules often demand a mix of upper and lower case, numbers, and symbols, plus regular changes. On paper, that looks like it should make guessing harder. In reality, these rules push people into predictable patterns: capital letter at the start, a number at the end, and a symbol replacing a letter. Attackers know this. They use “password spraying” and targeted guessing lists that include common substitutions such as p@ssw0rd! and Summer2025. The rules did not make passwords genuinely unpredictable; they just made them harder to remember.

Another failure is the focus on how a password looks rather than how it behaves under attack. Most accounts are not broken by a person patiently guessing one attempt at a time. They are broken by automated systems testing large numbers of likely passwords, or by leaked password databases. If a system is already rate-limited, adding more symbols does not matter much. If a system is not rate-limited, complexity does not save you. Good rules should match the threat, not an imagined one.

Length vs randomness

Length usually matters more than complexity. A long password is harder to brute-force because there are more possibilities, even if it uses only letters. Randomness matters because it removes patterns that attackers exploit. The most effective combination is long and random.

Consider two examples. A password like Blue7$ looks complex, but it is short and guessable. A passphrase like harbour-lantern-marmalade is long and has more entropy, even though it is made of ordinary words. If those words are chosen randomly from a large list, it becomes extremely difficult to guess. This is why many modern password policies encourage length, sometimes with a minimum of 12 or 14 characters, while allowing spaces.

Randomness does not mean “looks random” to a human. It means there is no pattern that reduces the search space. If you pick words because they remind you of a holiday or a pet, the phrase is not truly random. It might still be long enough to be safe against broad attacks, but it is weaker against a targeted attacker who knows you.

Passphrases and memorability

Passphrases work because they are long and easier to remember. A good passphrase is several words chosen at random, not a sentence taken from a favourite book. In practice, people can remember four or five unrelated words far more easily than a single string of symbols. The goal is to reduce the need for tricks like writing it down on a sticky note or reusing the same password across sites.

In everyday life, this might look like choosing a passphrase for a new email account using a random word list, then storing it in a password manager. You can remember it because you type it often, but if you forget it, the manager still holds it. For shared household accounts, such as a streaming service, a long but easy-to-say passphrase can be stored in the family manager or written down in a secure place, such as a locked drawer. That is a trade-off that recognises how people actually live.

A common misunderstanding is that a passphrase must be nonsensical or full of obscure words. It just needs to be random and long. If you pick four words at random from a list of a few thousand, the number of possible combinations becomes vast. That is enough to resist large-scale guessing attacks.

Why humans reuse passwords

People reuse passwords because the alternative feels impossible. An average person might have dozens of accounts: banking, council tax, GP services, shopping, work tools, and one-off accounts for travel. Remembering unique, complex passwords for each is unrealistic without support. Reuse is a rational response to a system that puts all the burden on the user.

The problem is that reuse turns a single breach into many. If one shop’s database is leaked, attackers can try the same password on email accounts, which then becomes the master key to reset other services. This is not a dramatic edge case; it is one of the most common ways accounts are taken over.

The practical mitigation is not to shame people into better memory but to change the method. Password managers, whether built into a browser or a dedicated app, let you store unique passwords without needing to remember them. Where a manager is not an option, prioritise uniqueness for your email account and any account that can reset others. A reused password on a forum is inconvenient if it is breached; a reused password on your email is a chain reaction.

Avoiding personal references

Many people build passwords from personal details: children’s names, birthdays, sports teams, street names. These are easy to remember but also easy to guess. In the UK, personal details can be pieced together from social media, company websites, and public records. Even if your profiles are private, friends and relatives may post photos or mentions that give clues.

Targeted attackers use this information for “knowledge-based” guessing. It is not about hacking in a dramatic sense; it is about trying a short list of likely options. Avoiding personal references removes that easy route. A random passphrase that has nothing to do with you is stronger than a clever wordplay based on your life.

There is a common myth that attackers always go after the most obscure detail. In reality, they start with the obvious because it works often enough. That is why using your dog’s name with a “!” or your postcode with a year is risky, even if it feels unique.

When rotation helps and when it harms

Regular password rotation was once standard advice. It can help in specific situations, such as when a password might have been exposed or when multiple people share an account over time. For example, a small charity might rotate the password to a shared social media account when a volunteer leaves. That is a real-world use case where rotation reduces risk.

For individual accounts, forced rotation can be harmful. People respond by making small changes — adding a number, changing a month — which attackers can predict. It also increases the chance of writing passwords down or reusing old ones. If a system is properly secured with rate limits, modern password storage, and multi-factor authentication, routine rotation offers little benefit.

A better approach is event-based rotation: change passwords when there is a reason. That could be a data breach notification, a lost device, or a suspicion that someone else has access. In those cases, a change matters. Otherwise, focus on strong, unique passwords and account recovery methods that are under your control.

Rotation also has trade-offs in workplaces. In a UK organisation, frequent changes can lead to increased support calls and risky workarounds. This is a practical cost, not just a user complaint. Security that people bypass is not security at all. A sensible policy aligns with how people work, not how a checklist reads.