Cybersecurity
Passwords, MFA, and the myth of the disciplined employee
Every password policy ever written assumes an employee who does not exist.
This person memorizes forty unique passwords, each sixteen characters, none reused, all rotated quarterly. They have never written one on a sticky note. They have never appended 2024! to an old one.
This person is fictional. And when your security depends on a fictional person, you don’t have security — you have a story you tell yourself.
Why reuse happens (and it isn't laziness)
People reuse passwords because the alternative was never humanly possible. Blaming them for it is like blaming someone for not memorizing the phone book.
And reuse is precisely what attackers count on. When any single site is breached, the stolen password gets tried everywhere else — automatically, at scale, for free. It costs an attacker nothing to try. It costs you everything when it works.
Use a password manager. That's the answer.
Not “try harder.” Not a policy poster. A tool.
You remember one strong password. It remembers the other forty, generates them properly, and fills them in. This isn’t a compromise or a shortcut — it’s the only approach that survives contact with actual human beings.
Length beats complexity
Four random words is stronger and vastly more usable than P@ssw0rd!. Complexity requirements mostly produce predictable substitutions — a becomes @, o becomes 0 — and attackers have known that for twenty years.
Then turn on MFA and stop worrying quite so much
Here’s the liberating part. With multi-factor authentication switched on, a stolen password on its own is nearly worthless.
Email first — it’s the account that resets every other account. Then banking. Then anything with customer data.
Yes, it’s mildly annoying. So is a seatbelt. Nobody has ever proposed removing seatbelts on the grounds that they’re inconvenient.
The practical version
- Roll out a password manager to the whole team. One afternoon.
- Turn on MFA for email, first, today.
- Change the reused passwords you already know about — you know the ones.
- Stop requiring 90-day rotation. It produces
Winter2026!and everyone knows it.
Want to know where you actually stand? We do free, no-pressure security checks for small businesses across the East Bay — backups, accounts, defenses. We tell you plainly what to fix first.
On password length over forced complexity and against arbitrary rotation, see NIST SP 800-63B.