Longer Passphrases Beat “Clever” Passwords

For as long as we’ve been using computers, we’ve have been thinking about passwords all wrong!

Without going deep into the research, we now know that a 20+character passphrase built from simple, unrelated words are millions of times stronger than the typical 8‑character “complex” password we’ve trained our whole lives to create (such as, P@55w0rd!)

Test your password!

Safe and secure. Your password will be tested against some security guidelines and checked against the Have I Been PWND database of known-leaked passwords, (Give them a visit and check if your email has been found anywhere as well!)

Breakdown of a good passphrase:

Sapphire‑Monsoon‑Glacier‑68

Why it’s so much better than a P@55w0rd!?

• 3+ random words with Capitals, a number, separated by symbols! So easy to remember.
• 30 characters on average (the sweet spot is 16 or more to beat password crackers)
• Easy to say out loud, millions of times harder for a computer to guess!
• Not in anyone’s hacked‑password list

How to change your password

Whether you’re locked out or want to update a weak password, here’s how to reset it depending on what you use:

🖥️ For Windows Users:

• Press Ctrl + Alt + Del and click “Change a password”
• You’ll need to know your current password to do this

🌐 For Microsoft 365 Users:

• Go to myaccount.microsoft.com
• Click “Password” under Security Info

💻 Forgot Your Password Entirely?

• Visit the Microsoft Self-Service Password Reset page: passwordreset.microsoftonline.com

MFA: an extra lock on the door

Even the best password can be defeated. That’s why Multi‑Factor Authentication (MFA) is a must. It adds an extra layer of security, like a code on your phone or a fingerprint scan. A second “are you really you?” step. Learn how to set up Microsoft Authenticator and more in our MFA setup guide

Windows Hello, fingerprints & passkeys—what’s the difference?

In a business setting, combining passkeys/biometrics with strong device management keeps attackers out and saves employees from password fatigue.

Let’s break these down:

• Windows Hello: A built-in way to log in using facial recognition, PIN, or fingerprint
• Fingerprint/Face Recognition: Fast, secure, and hard to fake
• Passkeys: The future of logins — passwordless authentication using biometrics or your device itself

These methods are not only easier — they’re safer. And guess what? Umbrella IT Solutions can help your organization set these up across all devices.

Why use a password manager?

“Isn’t putting all my passwords in one password manager risky?” a fair question! A reputable password manager (like Bitwarden, 1Password, or Keeper) use strong encryption and zero-knowledge architecture, meaning not even they can see your data. Your vault is protected by a master password and often two-factor authentication (MFA). It’s far safer to use one well-guarded vault than it is to leave dozens of passwords scattered across weak storage methods. Plus, if one password is compromised, your manager will typically alert you and generate a new one — without you needing to remember a thing. Upsides of a password manager:

1. One vault, many locks – You remember one master passphrase; the manager remembers the rest.
2. Auto‑fill, not auto‑forget – Stop re‑typing or re‑using the same password everywhere.
3. Random on tap – Most managers have a built‑in generator for 25‑character gobbledygook when you need it.
4. Encrypted everywhere – Good vaults sync through zero‑knowledge encryption (Bitwarden, 1Password, KeePass, etc.).
5. Secure sharing – Hand off a password to a co‑worker without texting it to them.

Writing Down Passwords

It might seem convenient and harmless to jot your passwords on a sticky note or keep them in a notebook, but this creates a massive physical security risk. If someone gains access to your desk, bag, or even your home, they’ve got your entire digital identity right in front of them — no hacking skills required. Even well-meaning coworkers or family members could accidentally see them. In the workplace, this kind of exposure is a serious compliance red flag. Bottom line: if it can be picked up, read, or lost, it’s not secure.

Passwords in a File

Storing your passwords in a Word doc or spreadsheet — even if it’s named something sneaky like “recipes.xlsx” — is one of the most common and dangerous mistakes. If your device is ever infected with malware or accessed by someone malicious, those files are easy targets. Attackers and automated tools actively scan for unprotected documents that look like they might contain credentials. Even if it’s stored in the cloud, a breach of your Google or OneDrive account could expose it. And unless the file is encrypted (and we mean properly encrypted, not just password-protected), it’s a digital time bomb.

Reusing Passwords

Reusing the same password across multiple sites might feel like a way to keep things simple, but it’s also one of the fastest ways to get fully compromised. When a breach happens on one website — even something trivial like an old forum or shopping site — attackers get that password and immediately try it on email accounts, banking sites, social media, and more. This tactic, called credential stuffing, is automated and frighteningly effective. If you reuse passwords, one breach could unravel your entire digital life in minutes.

Browser Passwords – Chrome, Edge, Firefox

While browsers like Google Chrome and Microsoft Edge offer to save your passwords for convenience, relying on them as your primary password manager comes with serious risks.

Browser-stored passwords are only as secure as your device login. If someone gains access to your computer — physically or remotely — they are able to view or export all saved passwords with little to no resistance.

Second, browser password managers lack critical features like breach monitoring, secure password sharing, passphrase generation, or multi-device access control — all of which are standard in proper password managers like Keeper, Bitwarden or 1Password.

Finally, browsers are massive attack surfaces. They’re constantly being targeted by malicious extensions and exploits. If your browser is compromised, your saved passwords are exposed along with it.

Key takeaways

• Long, memorable passphrases + MFA or biometrics + a password manager give you iron‑clad security and fewer headaches.
• Never reuse passwords across sites.
• Don’t share passwords over plain text, unsecured email, or write them down
• Change your password immediately if you think it’s been compromised
• Enable MFA everywhere you can