Password Security, MFA and Passphrases

Passwords remain one of the most common authentication controls protecting sensitive systems. When those credentials fail, attackers rarely stop at a single account. Compromised credentials routinely become the entry point for wider intrusion, privilege escalation, and lateral movement across systems.

Most breaches do not begin with sophisticated exploits. They begin with exposed or reused credentials.

Despite this, many organisations still treat password security as a user discipline problem rather than an architectural one. Users are instructed to create complex passwords, remember them, and rotate them frequently. The expectation is unrealistic, and the outcome is predictable.

Credential security improves when authentication is engineered deliberately rather than relying on individuals to manage complexity unaided.

In essence, password security is a governance issue - not a memory test

Why Traditional Password Security Policies Fail

For years, password policies emphasised complexity.

Users were required to include uppercase letters, numbers, and special characters. The assumption was that complexity produced stronger security.

In practice, it produced patterns.

Users adapt to policy rather than strengthening credentials. Passwords evolve through small variations:

Password1! 
Password2! 
Password3!

Attackers understand these patterns extremely well. Modern password-cracking tools incorporate dictionary lists and behavioural models designed specifically to exploit them.

Length and unpredictability matter far more than decorative complexity.

Guidance from the National Institute of Standards and Technology increasingly reflects this shift, recommending longer passphrases rather than short complex strings.

Passphrases: Stronger and Easier for Humans

Passphrases provide significantly stronger protection while remaining easier for users to remember.

A passphrase constructed from several unrelated words generates high entropy without requiring artificial complexity.

For example:

silver-harbour-cascade-lighthouse-orbit

This type of credential is far harder to crack than a short complex password, yet significantly easier for a human to recall.

The objective is not clever complexity. The objective is resistance to automated guessing and credential attacks.

Strong credentials should therefore be:

long enough to resist brute force attacks
unique across all systems
unrelated to personal information
generated or stored securely rather than memorised repeatedly

Why Forced Password Rotation Often Reduces Security

Mandatory password changes every 60 or 90 days have historically been viewed as a sign of strong security governance.

In reality, they frequently create the opposite effect.

When users are forced to change passwords repeatedly, they optimise for convenience rather than security. Numbers are incremented, characters appended, or previous passwords recycled with minor variation.

The policy appears disciplined. The underlying credential remains predictable.

Modern guidance, including the NIST Digital Identity Guidelines, has moved away from arbitrary password expiry and toward longer passphrases combined with multi-factor authentication.

Security controls should reduce risk. When they consistently produce weaker behaviour, the design itself needs reconsideration.

Password Managers Are Now Essential

Expecting individuals to remember dozens or hundreds of unique credentials is unrealistic in modern environments.

Without tooling, password reuse becomes inevitable.

Password managers address this structural problem by generating and storing credentials securely.

A properly implemented password manager:

creates high-entropy passwords automatically
ensures every system has a unique credential
stores credentials securely using encryption
removes the need for users to memorise complex strings

Organisations that discourage password managers often discover that users create their own alternatives. Passwords end up stored in spreadsheets, browsers, notebooks, or email drafts.

These improvised solutions create far greater risk than a managed credential vault.

Multi-Factor Authentication Changes the Equation

Passwords alone are no longer sufficient protection for sensitive systems.

Multi-factor authentication (MFA) introduces an additional proof of identity beyond the password itself.

This might include:

an authenticator application
a hardware token
a device-based push approval

Even when a password is compromised, access remains blocked unless the attacker also controls the additional factor.

Properly implemented MFA dramatically reduces the success rate of credential-based attacks.

Biometrics and Device Trust

Biometric authentication increasingly plays a role in strengthening identity verification.

Fingerprint and facial recognition systems tie authentication to the individual rather than something they remember. When implemented through trusted devices, biometrics can strengthen identity assurance while reducing user friction.

However, biometrics should complement other controls rather than replace them. Effective authentication models combine multiple factors and contextual verification.

Many modern identity platforms also evaluate the device, location, and behaviour of a login attempt before granting access.

Authentication is gradually shifting from a single login event to continuous identity validation.

The Executive Test for Identity Security

Credential security should ultimately be viewed as a governance question rather than a technical setting.

Leadership should be able to answer several simple questions.

If credentials for critical systems were exposed tomorrow:

Could the organisation identify where those credentials are used?
Is multi-factor authentication enforced everywhere material?
Can compromised access be revoked immediately?
Is ownership of identity risk clearly defined?

If those answers are uncertain, the weakness is not password complexity. The weakness is governance and control visibility.

How Phenomlab Strengthens Identity Security

In practice, organisations rarely lack security tools. They lack clarity around how those controls should be implemented and governed.

Authentication controls are often fragmented across platforms, cloud services, and legacy systems. Password reuse persists. MFA coverage is inconsistent. Ownership of identity risk is unclear.

Phenomlab works with executive teams to bring structure and accountability to identity security.

This typically includes:

assessing authentication architecture across critical systems
enforcing MFA across all material services
implementing enterprise password management securely
eliminating password reuse and unsafe credential storage practices
introducing passphrase-based credential policies
integrating biometric and device-trust authentication where appropriate
establishing clear ownership of identity risk within governance frameworks

The objective is not stronger passwords in isolation.

The objective is an authentication model that continues to hold under pressure.

When identity controls are designed deliberately and supported by clear leadership ownership, credential compromise becomes far more difficult to exploit.

Mark Cutting

36 posts

Mark Cutting is a senior technology and cybersecurity leader with over three decades of experience aligning technology leadership with operational performance and risk accountability. Formerly Director of Information Technology & Chief Information Security Officer within a global financial services firm, he held enterprise responsibility for infrastructure governance, regulatory alignment, and board-level reporting. Through Phenomlab, he provides founder-led fractional and interim Head of IT & CISO leadership, delivering structured ownership, disciplined governance, and accountable executive oversight.

When consequence increases, ambiguity becomes exposure.

Activity can be documented. Ownership must be explicit.

Request an independent view Learn how enagement works