2025 Password Security Trends: Best Practices for Businesses

Introduction

In today’s digital age, securing access to sensitive data is a critical concern for governments, organisations, and individuals. Passwords, while fundamental to authentication, are often undermined by poor practices such as weak passwords, reuse across platforms, and inadequate encryption. In response to these vulnerabilities, industry standards and guidelines have evolved to address modern security threats and introduce more robust protection methods. This paper examines the current state of password security, focusing on updated guidelines from the Australian Government, NIST, and leading tech companies. It evaluates both traditional and emerging security frameworks, explores the growing role of passwordless authentication, and discusses secure password storage techniques, particularly hashing and salting. Additionally, the study covers the evolution of Windows hashing algorithms, from NTLM to NTLMv2, the rise of password cracking tools like Hashcat, and the risks of password reuse, supported by recent research. This research aims to provide a comprehensive overview of best practices and emerging trends, equipping organisations with the necessary tools and standards to protect authentication systems against evolving cyber threats.

Standards and Guidelines in Password Security

Australian Government Recommendations

The Australian Government's stance on password security emphasises the importance of robust authentication mechanisms to enhance cybersecurity across government agencies and critical sectors. The Cyber Security Strategy 2023-2030 and recent updates to the Cyber Security Bill 2024 set out to establish Australia as a global leader in cybersecurity. This legislation requires enhanced security standards, particularly for critical infrastructure and sectors handling sensitive data, such as healthcare, finance, and telecommunications.

Key recommendations include a focus on using multi-factor authentication (MFA), for example: Microsoft Authenticator, which allows users to approve access to a specific service linked to Microsoft MFA. MFA is strongly advised as part of Australia’s Essential Eight cybersecurity framework, which helps organisations mitigate common cyber threats. The framework also suggests organisations adopt advanced methods, such as passkeys, which align with global standards for passwordless and secure authentication.

Additionally, the 2024 Cyber Security Bill enforces that organisations regularly assess and update their security protocols, including password policies, incident response plans, and data protection practices. This is to ensure they have adequate risk management and employee training to handle cyber threats effectively. Failure to comply with these updated security standards, including MFA, could result in fines or legal actions, underscoring the government’s stringent approach to protecting sensitive data and maintaining high cybersecurity standards.

NIST Guidelines

The National Institute of Standards and Technology (NIST) emphasises practical, user-centric password security through its Digital Identity Guidelines. Passwords should be at least 8 characters long, with support for passphrases up to 64 characters. NIST de-emphasises traditional complexity rules (such as mandatory symbols) in favour of longer, more memorable passphrases, reducing reliance on arbitrary rules that often lead to predictable patterns.

Regular password expiration is discouraged unless evidence of compromise exists, reducing the risk associated with frequently reused or weak passwords. Additionally, organisations are advised to check passwords against lists of commonly used or compromised credentials, blocking those deemed insecure. NIST also highlights the importance of multi-factor authentication (MFA), recommending its implementation to enhance security, especially for sensitive accounts. Traditional knowledge-based authentication (KBA), like security questions, is discouraged due to susceptibility to social engineering attacks.

Microsoft’s Point of View

Microsoft advocates for moving away from traditional passwords in favour of passwordless authentication methods, such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app. These passwordless solutions improve security by reducing risks like phishing and credential theft, and they also enhance user experience through seamless sign-ins using biometrics or hardware tokens. While transitioning to passwordless systems, Microsoft advises using multi-factor authentication (MFA) to add an extra layer of security. This shift not only strengthens cybersecurity but also results in significant cost savings, as it eliminates the need for frequent password resets and minimises associated productivity losses.

Evolving Authentication: Passwordless Approaches

Passwordless authentication is a security method that removes the reliance on traditional passwords for verifying user identities. Instead, it uses alternative authentication factors, such as biometric data (fingerprints, facial recognition), hardware tokens (like FIDO2 security keys), or smartphone apps (e.g., Microsoft Authenticator), to authenticate users securely. This approach eliminates the vulnerabilities associated with passwords, including phishing attacks and credential theft, which are common issues with traditional password-based methods.

The growing popularity of passwordless authentication stems from its ability to significantly enhance security while providing a smoother user experience. Traditional passwords are often weak or reused across multiple platforms, making them easy targets for cybercriminals. In contrast, passwordless methods are harder to bypass, as they rely on unique user traits or physical devices that are difficult to replicate. Additionally, passwordless authentication reduces the operational burden of managing passwords, such as resetting forgotten credentials, and minimises the costs associated with password recovery support.

Organisations are increasingly adopting passwordless methods as a viable alternative to traditional password-based systems, driven by the rising need for stronger security measures and the recognition that passwords are a significant point of failure in cybersecurity. The adoption of standards like FIDO2 further supports this shift, enabling secure and scalable passwordless authentication solutions that are compatible across a wide range of services and platforms.

Technical Aspects of Password Storage and Hashing

Hashing and Salting Techniques

Passwords are typically stored securely using a combination of hashing and salting techniques. Hashing transforms a password into a fixed-length string of characters (a hash) using a mathematical function. This process is one way, meaning the original password cannot be retrieved from the hash, making it secure against theft. However, simply hashing passwords is not enough, as attackers can use precomputed tables (rainbow tables) to reverse hashes if they know the algorithm used. To combat this, salting is applied, where a unique, random value (the salt) is added to the password before hashing. This ensures that even if two users have the same password, their hashed values will differ due to the unique salt, making attacks more difficult.

Several hashing algorithms are commonly used, each with its advantages and disadvantages:

• SHA-256: Part of the SHA-2 family, it is widely used in various security protocols. While it provides a secure hash, its main weakness is that it is fast and designed for general-purpose use, making it vulnerable to brute force attacks when used for password hashing. Because of this, it is not recommended for password storage without additional mechanisms like salting and key stretching.

• bcrypt: This algorithm is specifically designed for securely hashing passwords. It is slower than SHA-256, thanks to its key stretching feature, which increases the computational effort required to hash a password, making brute force attacks more difficult. One of bcrypt’s advantages is that it automatically handles salting. However, its main disadvantage is that it is relatively slow compared to more modern algorithms.

• scrypt: Similar to bcrypt, scrypt is another key stretching algorithm designed for password hashing. It is more memory intensive than bcrypt, which makes it even harder to execute on specialised hardware like ASICs, further increasing its resistance to brute force attacks. However, this memory intensive nature can lead to performance issues on low resource devices.

• Argon2: Argon2 is designed to be highly secure and efficient. It offers tunable parameters for time and memory complexity, making it adaptable for different environments. Argon2d is resistant to GPU and ASIC attacks, while Argon2i is optimised for resistance to side channel attacks. Its flexibility and high security make it the most recommended password hashing algorithm today, although it may be slower and more resource intensive than others.

Hash History in Windows Systems

Windows’ password hashing has evolved significantly to enhance security. Early systems used LM hashes, which were easily cracked due to their simplicity and lack of case sensitivity. NT hashes, introduced with Windows NT, improved security but lacked salting, making them vulnerable to brute force attacks.

NTLM (NT LAN Manager) improved authentication but retained weaknesses, especially in NTLMv1. NTLMv2 addressed these issues with HMAC-MD5 encryption, reducing replay attacks. However, NTLM remains susceptible to pass-the-hash exploits. Modern Windows environments favor Kerberos, offering stronger security and better resistance to attacks. Microsoft is gradually phasing out NTLM, aiming to eliminate it completely in favor of Kerberos and other modern protocols.

Hashcat and State-of-the-Art Hash Cracking

Hashcat is an advanced, open-source password recovery tool widely used for cracking hashed passwords. It supports a variety of hashing algorithms such as SHA256, NTLM, and bcrypt. What makes Hashcat powerful is its ability to utilise modern GPUs, significantly speeding up the password cracking process compared to CPU-only methods. Hashcat can perform several types of attacks, including brute force, dictionary, mask, and hybrid attacks, making it highly versatile for different use cases like recovering Wi-Fi passwords or auditing system security.

Recent developments emphasise optimising performance and expanding algorithm compatibility, underscoring the need for strong hashing practices. The latest discussions in the community highlight emerging methods to counteract brute force and dictionary attacks, stressing the need for adopting robust, modern hashing algorithms like Argon2, as tools like Hashcat can quickly exploit weaker algorithms or simple passwords. Using complex passwords and multi-factor authentication is crucial to defend against such sophisticated attacks.

Password Reuse and Its Implications

Research on Password Reuse

Password reuse persists mainly due to convenience, as managing numerous accounts with unique passwords is challenging. Despite knowing the risks, 78% of users still recycle passwords across platforms (Source), making them vulnerable to credential stuffing attacks, where attackers use a large set of stolen/leaked username-password combinations to attempt to gain unauthorised access to accounts on various websites. Younger users, especially Gen Z, often underestimate this threat, believing their practices are secure. This behaviour underscores the importance of using password managers and multi-factor authentication to mitigate these risks.

Practical Risks

Password reuse significantly increases the risk of attacks such as credential stuffing and account takeovers. In these scenarios, cybercriminals exploit stolen credentials from previous data breaches, often found on the dark web, to access users’ other accounts. Automated tools enable attackers to target widely-used services, amplifying the threat. Research reveals that a majority of users still reuse passwords, making them highly vulnerable to cascading security breaches. High-profile incidents, like the LinkedIn data leak, highlight how exposed credentials are repurposed across platforms, creating a ripple effect of vulnerabilities.

Oko, our cutting-edge dark web monitoring solution, helps organisations identify compromised credentials on the dark web before it’s too late. By proactively detecting stolen data, Oko empowers businesses to act swiftly and mitigate risks, safeguarding their operations from potentially devastating security breaches.

To mitigate these threats, organisations should prioritise unique passwords for every account, supported by password managers and multi-factor authentication (MFA). These practices, combined with real-time dark web monitoring from Oko, are crucial for protecting sensitive information and maintaining a robust security posture.

For more insights into the dark web and how it poses risks to your organisation, read our related guides:

• What is the Dark Web? Understanding the Clear, Deep, and Dark Web
• What is Dark Web Monitoring? A Beginner's Guide for Businesses

Conclusions

Summary of Findings

Password security remains a critical issue, with widespread password reuse leading to significant vulnerabilities such as credential stuffing. Updated standards from organisations like NIST and the Australian Government advocate for stronger measures, including complex passwords, regular reviews, and the implementation of multi-factor authentication (MFA). Additionally, dark web monitoring with tools like Oko offers businesses an extra layer of protection by identifying and addressing compromised credentials before they can be exploited.

Future Directions

Further advancements in password security could explore the use of machine learning and AI to detect anomalous usage patterns and predict weak passwords. Additionally, the development of more secure hashing algorithms, including those resistant to quantum computing, is crucial. The adoption of passwordless authentication solutions such as biometrics and passkeys should focus on improving accessibility while maintaining strong security protocols.

Recommendations

To mitigate evolving cybersecurity threats, organisations should:

1. Adopt complex, unique passwords for all accounts.
2. Avoid frequent password expiration policies unless evidence of compromise exists.
3. Implement multi-factor authentication (MFA) as a standard.
4. Use password managers to securely store credentials.
5. Leverage dark web monitoring tools like Oko to detect compromised credentials proactively.
6. Transition to passwordless authentication methods, such as biometrics or passkeys, to reduce dependency on traditional passwords.

These practices, coupled with regular security audits and dark web monitoring, ensure a proactive approach to cybersecurity, reducing the risks associated with password-based systems.

Discover how Oko can help protect your business - start now for free!