Skip to content
All articles
Methodology

Passwords are an organizational problem: why policy and tooling beat "pick a better password"

By quantakrypto Research8 min
TL;DR

Read this first

"Pick a stronger password" is not a security strategy — it puts the whole weight of an organisation's exposure on the person least able to carry it. Credentials are the front door to most breaches, but the fix is systemic: a written policy grounded in modern guidance (NIST 800-63B — length over complexity, no forced rotation, screen against breached-password lists), the tooling that makes the policy achievable (password managers, MFA and passkeys, SSO, secret vaults), and automated scanning that catches credentials committed to code before they ship. The human problem and the secrets-in-code problem are different failures, and you need controls for both.

The oldest advice in security is also the least effective: "pick a stronger password." It puts the entire weight of an organisation's exposure on the one actor least equipped to carry it — a busy human being asked to invent and memorise dozens of unique, unguessable strings. Credentials remain the front door to almost every breach, but the answer is not a sterner lecture. It is a system: the right policy, the right tooling, and education that changes what people actually do.

Two problems wearing the same costume

The first problem is human, and it is well understood. People reuse passwords across sites, so one breached forum leaks the credential to a corporate VPN. They pick guessable passwords, or predictable variations that satisfy a composition rule without adding real entropy — "Password1!" clears most policies. And they get phished, handing a working password straight to an attacker, which is why credential theft rather than brute force drives so many intrusions. The majority of breaches involve a human element — including stolen credentials, phishing, and error — according to Verizon's annual Data Breach Investigations Report.

The second problem is systemic, and it is the one "choose a better password" cannot touch. Credentials do not only live in users' heads; they live in source code, config files, environment variables, CI logs, container images, and chat messages. A hardcoded API key or a private key committed to a repository is a credential too — one that never rotates, gets copied endlessly, and is exposed to everyone with read access to the code. No amount of end-user password hygiene addresses a secret sitting in git history.

From the audit floor

Attackers log in more than they break in

Stolen and reused credentials, phishing, and secrets exposed in code are consistently among the top ways organisations are compromised. Every control below exists to do one of two things: make a valid credential hard to obtain, or make a stolen one useless on its own.

What the modern guidance actually says

Much of the password advice baked into corporate policy is not just annoying — it is wrong by current standards. NIST Special Publication 800-63B, the U.S. government's digital identity guidelines, rewrote the rules around a simple finding: length and uniqueness beat complexity and churn. In NIST's terms a password is a "memorized secret," and the guidance is specific:

  • Favour length over complexity. Allow long passphrases — verifiers should accept at least 64 characters — and do not impose composition rules like forced symbols and mixed case, which mostly produce predictable patterns humans can still guess.
  • Stop forcing periodic rotation. Do not expire passwords on a schedule; require a change only when there is evidence of compromise. Routine 90-day resets push users toward weaker, incremental passwords.
  • Screen against known-breached passwords. Check every new password against a list of commonly used and previously compromised values, and reject matches at the point of creation.
  • Support the tools people actually use. Allow paste so password managers work, permit the full printable character set including spaces, and offer a "show password" option.

That screening step has a ready-made data source. Have I Been Pwned runs a Pwned Passwords service exposing over half a billion real-world passwords drawn from past breaches, queryable through a k-anonymity API so you never transmit the full password or its hash. Wiring it into your signup and password-change flows turns "don't reuse a breached password" from a slogan into an enforced control. CISA's plain-language guidance reaches the same place from the user's side: long, unique, and stored in a password manager.

Pitfall

The rules that backfire

Forced 90-day rotation and rigid composition rules feel rigorous and are actively counterproductive: they train users to cycle "Summer2026!" into "Autumn2026!" and to write passwords down insecurely. NIST removed both recommendations for good reason. If your policy still mandates them, it is enforcing 2005.

Policy: a document, not a poster

Tooling without policy is a pile of half-configured features; policy without tooling is a wish. Start with a written, owned password and secret-management policy — an actual document with an accountable owner, not a slide in onboarding. It should state what is required, what the organisation provides to make the requirement achievable, and how exceptions are handled. At minimum it covers:

  • Identity and access: SSO as the default front door, MFA required everywhere it can be, and phishing-resistant factors mandatory for administrators and high-value systems.
  • Password standards aligned to NIST 800-63B — sensible minimums, breached-password screening, and no counterproductive periodic rotation.
  • A company-provided password manager, with password reuse across work accounts explicitly prohibited rather than merely discouraged.
  • Secret management: no credentials in source code or config; anything sensitive lives in a vault or secrets manager, with defined rotation and revocation procedures.
  • Automated enforcement: secret scanning in CI, so the policy is checked by machines on every commit rather than trusted to memory and good intentions.

Tooling: the controls that make the policy real

People cannot follow a policy the environment fights. Each human failure mode has a tool that removes it — and the organisation's job is to deploy the tool, not to demand more willpower.

  • Password managers eliminate reuse and weak choices by making a unique, random password per site the path of least resistance. For the human side of the problem, this is the single highest-leverage control.
  • MFA and passkeys make a stolen password insufficient on its own. Passkeys — the FIDO and WebAuthn standard — are phishing-resistant by design: the credential is bound to the site and never leaves the device, so there is nothing to type into a fake login page. CISA recommends phishing-resistant MFA as the gold standard.
  • Single sign-on shrinks the credential footprint to one strong, well-defended identity, gives you a single place to enforce MFA, and lets you cut off access instantly when someone leaves.
  • Secret vaults and managers — HashiCorp Vault, cloud KMS and secrets managers — keep credentials out of code, can issue short-lived dynamic secrets, and make rotation a configuration change rather than a code change.
  • Secret scanning in CI catches the mistake at the moment it happens, before a leaked key reaches a shared branch or, worse, a public repository.

Secrets in code: the failure a password policy never touches

The most damaging credential incidents rarely involve a guessed password. They involve a secret that was committed to a repository and forgotten. In Uber's 2016 breach, attackers reached a private GitHub repository used by Uber engineers, retrieved cloud credentials stored there, and used them to access a datastore holding personal data on roughly 57 million riders and drivers. No password-strength rule would have helped: the credential was strong, valid, and sitting in the code.

This is exactly the class of failure automated scanning is built to catch. quantakrypto's scanner already detects hardcoded secrets, private keys, and credential material in source code — it carries dedicated PEM and private-key detectors, flags sensitive findings, and redacts the secret in its own output so the report does not become a second leak. A credential in git history is not a password-policy problem; it is a visibility problem, and you close it by looking on every commit rather than hoping no one ever pasted a key.

Decision

Put the check where the mistake happens

Breached-password screening protects logins; secret scanning protects your codebase. Run both automatically. Gate CI so a commit that introduces a private key, an API token, or a hardcoded credential fails the build — the cheapest possible place to catch a leaked secret is before it is ever merged.

Education that changes behaviour, not just awareness

Security training earns its bad reputation when it is a compliance video measured by completion rate. Education works when it targets a specific behaviour and the environment makes the new behaviour the easy one. Teach people to recognise phishing — then deploy passkeys so a fooled user still cannot hand over a usable credential. Tell engineers not to commit secrets — then give them a pre-commit hook and a CI gate that make it almost impossible to do by accident. The lesson and the tool have to arrive together; a warning without a safer default is just assigning blame in advance.

Where quantakrypto fits

Credential hygiene sits squarely in what we do. quantakrypto builds a code-security scanner that inventories cryptography and finds exposed secrets and keys in your source. We offer codebase scanning for hardcoded credentials and private-key material, a crypto and credential posture assessment that maps your real exposure, and CI gating so a leaked secret fails the build instead of shipping. Our parent studio, Dandelion Labs, provides the advisory layer — turning findings into a written policy, the right tooling, and training your team will actually follow. Start where the evidence is: one pass scans your codebase for exposed secrets and quantum-vulnerable cryptography at the same time — npx @quantakrypto/qscan ./

References

Get started

Turn quantum risk into a credential.

Book a discovery call and get an indicative scope and pricing for your organisation.