I Audited 100 Employee Passwords. Here's What I Found.
Last year, I conducted password audits for five different Australian businesses. With proper permissions and ethical oversight, I analysed password hashes from approximately 100 employee accounts.
What I found was both shocking and completely predictable.
Before I share the results, let me be clear: this was done ethically. Written permission from leadership. Clear scope. Data anonymised. Hashes only—no plaintext passwords were visible to me. And every affected employee was notified and required to change their password.
With that out of the way, here's what password policy best practices look like in the real world—and why most businesses are doing it wrong.
The Numbers That Should Worry You
Out of 100 employee password hashes I analysed:
- 23% were crackable within 1 hour using standard dictionary attacks
- 41% contained the company name or a variation
- 67% contained predictable patterns (SeasonYear, Company123, NameBirthday)
- 31% were shared across multiple work accounts
- 18% were identical to passwords found in public breach databases
- Only 12% would be considered "strong" by NIST standards
Let me translate that: If I were an attacker with access to these password hashes, I could crack nearly a quarter of them before lunch.
And that's just the technical attack. The social engineering opportunities from those predictable patterns are even worse.
The Patterns People Actually Use
When I present these findings, people always ask: "What were the actual passwords?"
I can't share specifics (and wouldn't even if I could). But I can share the patterns. Because the patterns are what matter for password policy best practices.
Pattern 1: CompanyName + Number
Examples (modified to protect the innocent):
- AcmeCorp2024!
- Acme1234
- Work@Acme1
This accounts for about 20% of the passwords I saw. People think adding the company name and a number makes it secure. It doesn't. These are the first guesses any attacker tries.
Pattern 2: Season + Year + Symbol
- Spring2024!
- Summer24#
- March2024$
Another 15% or so. The thinking seems to be "I'll change it every season." But attackers know this pattern. "Spring2024!" is in every password cracking dictionary.
Pattern 3: Personal Information
- ChildName2020
- DogName123
- WeddingDate!
About 18% of passwords. The problem? This information is often public (social media) or easy to find (LinkedIn). Your dog's name is not a secret.
Pattern 4: Keyboard Patterns
- Qwerty123!
- 1qaz2wsx
- !QAZ2wsx
Roughly 10%. These look random to humans. To password cracking tools, they're trivial.
Pattern 5: The "Complexity" Fail
- P@ssw0rd123
- Changeme1!
- Welcome2024#
People try to follow complexity rules (upper, lower, number, symbol) but choose things that are still guessable. Complexity without randomness is theater.
Why Your Password Policy Is Probably Wrong
Most businesses have password policies that were written in 2010 and never updated. They focus on the wrong things:
Rule: "Must contain uppercase, lowercase, number, and symbol"
Problem: This leads to predictable transformations. "Password" becomes "P@ssw0rd1!"—which is just as guessable but harder to remember.
Better approach: Focus on length, not complexity. A 16-character passphrase beats an 8-character "complex" password every time.
Rule: "Must change every 90 days"
Problem: Forced rotation leads to predictable patterns. If your password is "Spring2024!", what will it be next quarter? "Summer2024!" obviously.
Better approach: Only force changes if there's evidence of compromise. NIST guidelines now recommend against periodic rotation.
Rule: "Cannot reuse last 12 passwords"
Problem: People just increment a number. Password1, Password2, Password3...
Better approach: Check against breach databases. Don't allow passwords that appear in known breaches, regardless of complexity.
Rule: "Minimum 8 characters"
Problem: 8 characters is trivially crackable with modern hardware.
Better approach: Minimum 12-16 characters. Encourage passphrases (multiple words) rather than passwords.
Password Policy Best Practices That Actually Work
Based on what I've learned from these audits, here's what I recommend:
1. Prioritise Length Over Complexity
A 20-character passphrase like "correct-horse-battery-staple" is:
- Easier to remember than "P@ssw0rd1!"
- Harder to crack (much larger search space)
- Faster to type once learned
- More likely to be unique
Encourage employees to use passphrases. Three or four random words, separated by spaces or hyphens.
2. Check Against Breach Databases
Before accepting any new password, check it against Have I Been Pwned or similar services. If the password appears in known breaches, reject it—even if it meets all your complexity requirements.
Most modern identity systems can do this automatically.
3. Eliminate Periodic Rotation
Stop forcing password changes every 90 days. The research is clear: this reduces security, not improves it.
Instead:
- Require changes only if compromise is suspected
- Monitor for leaked credentials
- Use MFA as your primary defence
4. Provide a Password Manager
The single best thing you can do for password security is provide (and require) a business password manager.
- Generate strong, unique passwords automatically
- Store them securely
- Share credentials safely within teams
- Monitor for compromised passwords
I recommend 1Password, Bitwarden, or Dashlane for business. The cost is negligible compared to a breach.
5. Educate About Personal Password Hygiene
Here's something that surprised me: employees with good personal password habits had better work passwords too. Correlation isn't causation, but it suggests that security-aware people are security-aware everywhere.
Train employees on password best practices for their personal accounts too. It reinforces the training and helps them develop good habits.
Securing your workplace? You're probably your family's IT person too.
The same principles that protect enterprise data—strong unique passwords, password managers, breach monitoring—work just as well at home. But most families have none of it.
Get my Personal Security Quick-Start Guide — the 193-page practical handbook for busy people who want to protect their families without becoming cybersecurity experts.
Plus: Join 158+ Australians getting one 5-minute security briefing every Friday.
The MFA Gap
Remember how 23% of passwords were crackable within an hour? Here's the thing: if those accounts had MFA enabled, the cracked passwords wouldn't matter.
The businesses I audited that had MFA enabled on all accounts had dramatically lower risk profiles—even when passwords were weak.
MFA is your safety net. Passwords will always be imperfect. People will always choose predictable patterns. MFA compensates for that.
If you haven't rolled out MFA yet, stop worrying about password complexity and start worrying about MFA deployment. Check out our guide to MFA rollout best practices for practical advice on getting it done without the chaos.
Real Talk: The Passwords I Couldn't Crack
After sharing all the failures, let me share what worked.
The passwords I couldn't crack fell into two categories:
- Long passphrases: 20+ characters, multiple words, no obvious pattern
- Password manager generated: Random 20-character strings that look like "xK9#mP2$vL7@nQ4"
Both approaches work. Passphrases are better for master passwords (the one password you have to remember). Password manager generation is better for everything else.
Interestingly, the "password manager" group had almost no overlap with the "crackable" group. When you give people tools to do security right, they generally do.
The Executive Password Problem
Here's an uncomfortable truth: executives often have the worst passwords.
Why? Because:
- They're busy and don't want to deal with complexity
- They have a lot of accounts and can't remember unique passwords for all of them
- They resist MFA because it adds friction
- They expect exceptions to be made for them
I found C-level passwords that were:
- The company name + "1"
- Their child's name + birth year
- "Password123" (yes, really)
These are high-value targets. An attacker who compromises a CEO's email has access to everything. Board communications. Financial data. Strategic plans. The ability to authorise wire transfers.
Executives need white-glove security treatment. Sit down with them. Set up their password manager personally. Enroll them in MFA with support standing by. Make it easy for them to do the right thing.
What I Tell Employees About Passwords
When I present audit findings, employees always feel attacked. "You're saying we're stupid?" No. I'm saying the system is broken.
Here's what I tell them:
"Passwords are a terrible authentication system. They were never designed for what we use them for today. Remembering dozens of complex passwords is not a reasonable expectation for human beings.
"The solution isn't 'try harder.' The solution is tools. Password managers. MFA. Passphrases instead of passwords.
"We're going to give you those tools. We're going to make it easier to be secure than insecure. And we're not going to blame you for a broken system that predates most of you."
This approach works. It frames security as a shared problem with a shared solution—not as employee failures to be punished.
The Future of Passwords
Passwords are slowly being replaced. Passkeys (FIDO2/WebAuthn) are the future—cryptographic credentials that can't be phished or cracked.
But we're not there yet. For now, most businesses need:
- Better password policies (length over complexity)
- Password managers for everyone
- MFA on everything
- Breach monitoring
- Regular audits (with proper consent and ethics)
If you're still using password policies from 2010, it's time for an update. Your employees—and your security posture—will thank you.
Mathew Clark
Founder, SecureInSeconds
Currently: Running breach checks on all my own passwords and finding one from 2017 that needs changing
Further Reading:
- NIST Digital Identity Guidelines (SP 800-63B)
- Have I Been Pwned — check your own passwords
- Our guide to MFA rollout best practices — because passwords aren't enough