The Future of Passwords: Best Practices, Emerging Trends, and Security Risks

Passwords are still widely used, but are a major security risk if weak or reused. Strong, unique passwords plus multi-factor authentication and password managers are essential. New trends like passwordless authentication and quantum-safe encryption are emerging, but layered security remains the best defence.

Passwords remain the most logical way to secure digital accounts, acting as digital keys that grant access to sensitive data. Despite their convenience, weak or reused passwords are responsible for most data breaches. A major study by Cybernews analysed 19 billion leaked passwords from data breaches between April 2024 and 2025, finding that 94% were weak or reused, leaving only 6% unique. This is clear evidence of insecure password practices.

Attackers exploit poor password hygiene through brute-force attacks, credential stuffing, and phishing scams. According to JumpCloud (2024), over 80% of organisational data breaches are attributed to weak passwords, and 30% of breaches involve user mistakes, such as password reuse or sharing.

Passwords remain relevant given rapid technological advances. However, security advice must evolve to keep pace. Passwords have been in use since the early 1960s (Cisco: Infographic, 8 June 2024). They became crucial in the 1990s as sensitive data migrated online.

What Makes a Strong Password?

The standard password format is a string of characters composed of a word or sentence, combined with special characters and numbers. According to CISA and NIST, a strong password should have the following characteristics:

•Length: At least 12–16 characters.

•Complexity: A mix of uppercase, lowercase, numbers, and symbols.

•Uniqueness: Never reuse passwords across accounts.

•Unpredictability: Avoid personal details.

•Passphrase-based: For example, “PurpleHatRiverDance!” is easier to remember and harder to crack.

Managing Passwords: Best Practices

Creating a strong password is just the first step. Protecting your password is equally important. Below are some common questions and best practices.

Should You Keep Your Password in a Notebook?

From my own experience in the field, it is clear that notebooks are still used to store and manage passwords. While writing down passwords in a notebook is generally discouraged, if the notebook is kept in a secure location, such as a safe at home, it can be as secure as an offline encrypted vault on your computer.

How Safe Are Password Managers?

Password managers, whether online or offline, offer strong encryption for storing passwords. Solutions with local vault storage avoid the risks associated with attacks on cloud-based password managers.

How Often Should You Change Your Password?

Unless you suspect a breach, avoid changing passwords frequently. Mandatory password rotation can lead to weaker passwords chosen for convenience. If a password is difficult to remember, consider using a password manager or, for highly sensitive accounts, a securely stored notebook.

The Importance of Layered Security

To protect your data, your password must be secure. Compromised credentials are one of the most common initial attack vectors for hackers. Not all hackers are IT experts; many simply log in using stolen credentials. According to the Verizon DBIR 2022 (as analysed by Kovrr), stolen credentials are the number one attack vector in data breaches, accounting for nearly half of all incidents.

A strong password alone is not enough. It must be combined with some security measures:

•Enable Multi-Factor Authentication (MFA) for all accounts.

•Use a password manager with strong encryption, preferably with local vault storage.

•Ensure each password is unique for each account.

•Stay alert for phishing attempts and never share passwords via email.

Regularly check if your passwords have been leaked using services such as http://www.haveibeenpwned.com/.

Current Trends in Information Security

•Passwordless Authentication: The FIDO Alliance and major tech vendors (Apple, Google, Microsoft) are rolling out passkeys as a passwordless solution, using public-key cryptography and biometrics for secure login. Gartner predicted passwordless adoption will accelerate across enterprises from 2025.

•Zero Trust Security Models: NIST’s Zero Trust Architecture (SP 800 207) and industry reports emphasise reducing reliance on passwords by enforcing continuous identity verification and least-privilege access.

•Quantum Computing Threat: NIST and ENISA warn that traditional encryption algorithms (RSA, ECC) will be vulnerable to quantum attacks. Post-quantum cryptography standards are being developed to counter this risk.

•Password Manager Risks: Recent breaches (e.g., LastPass 2022) highlight that cloud-based password managers are prime targets for attackers, making secure vault design and zero-knowledge architecture critical.

Conclusion

Passwords may feel outdated, but they remain essential for the time being. A password alone does not provide adequate online protection. The human component in information security remains the weakest link, and social engineering can still defeat most security measures (see our previous article: Cyber Security Beyond Compliance: A Human-Centric Approach to Risk, Vulnerabilities, Threats, and Training, published January 2025).

Remember the following:

•Use MFA wherever possible.

•Adopt passkeys and passwordless authentication where available.

•Always use strong, unique passwords.

•For highly sensitive accounts, consider an offline password manager or a securely stored notebook.

•Stay informed about post-quantum encryption standards.

The best approach is layered security: multiple barriers are better than one. With quantum computing on the horizon, we must consider whether the future of security lies beyond passwords.

Call us on (44) 7870 396 167 or email contact@call4support.co.uk to discuss how we can help you to protect your data better.