Cybersecurity threats continue to evolve, and businesses are under constant pressure to protect sensitive data, systems, and user accounts. At Giraffe, we believe that strong authentication practices are one of the most important steps any organisation can take to improve security. While passwords remain widely used, weak or reused passwords continue to be one of the leading causes of data breaches and account compromises. Attackers use automated tools, phishing campaigns, and credential stuffing attacks to exploit poor password habits every day. That is why businesses should enforce a modern password policy while also preparing for the future through the adoption of passkeys.
Giraffe’s Recommended Password Policy
We recommend that all passwords used for company systems, accounts, and services meet the following requirements:
Minimum Length
Passwords should contain a minimum of 16 characters.
Longer passwords are significantly more difficult for attackers to crack and provide far greater protection against brute-force attacks.
Complexity Requirements
Passwords should include at least:
- One uppercase letter (A–Z),
- One lowercase letter (a–z),
- One number (0–9),
- One special character such as !, @, #, $, %, ^, or &.
Strong password complexity makes passwords less predictable and more resistant to automated attacks.
No Maximum Password Length
We do not recommend enforcing a maximum password length. Allowing users to create longer passphrases improves both usability and security.
For example:
MountainCoffee!RiverTrain2026SecureLaptop&BlueSkyOffice42
These are easier to remember and considerably more secure than shorter passwords.
Avoid Easily Guessable Information
Passwords should never include:
- Names,
- Birthdays,
- Company names,
- Common words,
- Keyboard patterns such as “123456” or “qwerty”.
Cybercriminals routinely use publicly available information and breached password databases during attacks.
Never Reuse Passwords Across Multiple Accounts
Using the same password across multiple accounts creates a significant security risk. If one account becomes compromised in a data breach, attackers will often attempt to use the same credentials on other services, a technique known as credential stuffing.
This means that a single compromised password could potentially expose:
- Email accounts,
- Microsoft 365 or Google Workspace,
- VPN and remote access systems,
- Banking and finance platforms,
- Social media accounts,
- Administrative systems.
Every account should have its own unique password to minimise the impact of a breach and prevent attackers from gaining wider access to company systems.
The Importance of Password Managers
Remembering unique, complex passwords for every account is difficult for most users. This is why we strongly recommend using a password manager.
Password managers securely generate, store, and autofill strong passwords, reducing the temptation to reuse passwords or store them insecurely.
One popular option is LastPass, although there are several reputable password managers available. The key priority is ensuring employees consistently use a secure password management solution.
Why Businesses Should Start Using Passkeys
Although strong passwords remain important, the cybersecurity industry is increasingly moving towards passwordless authentication through passkeys.
Passkeys are a modern authentication method developed using FIDO standards. Instead of typing a password, users sign in using biometrics, device PINs, or hardware-based authentication securely stored on their device.
Unlike passwords, passkeys are designed to be phishing-resistant and cannot be reused across different websites. They use cryptographic key pairs rather than shared secrets, dramatically reducing the risk of credential theft.
Major technology companies including Apple, Google, and Microsoft already support passkeys, and adoption is rapidly increasing across businesses and online services.
The Benefits of Passkeys
Passkeys provide several advantages over traditional passwords:
- Resistant to phishing attacks,
- No passwords to remember or reuse,
- Faster and easier login experiences,
- Reduced account takeover risk,
- Improved user experience across devices,
- Lower support costs caused by password resets.
Passkeys also help eliminate many of the risks associated with weak or reused passwords, making them an important part of the future of cybersecurity.
Passwords Are Still Important… For Now
Despite the rise of passkeys, passwords are not disappearing overnight. Many systems and services still rely on traditional password authentication, meaning organisations must continue enforcing strong password policies alongside multi-factor authentication (MFA).
Businesses should view passkeys as part of a long-term security strategy rather than a complete overnight replacement.
Additional Security Best Practices
Alongside strong passwords and passkeys, businesses should also:
- Enable multi-factor authentication (MFA),
- Provide regular cybersecurity awareness training,
- Monitor for compromised credentials,
- Use unique credentials for every service,
- Review access permissions regularly,
- Keep systems and devices updated.
Cybersecurity is strongest when multiple layers of protection work together.
Final Thoughts
A strong password policy remains one of the simplest and most effective ways to improve business security. However, organisations should also begin embracing passkeys as part of a modern authentication strategy.
By combining strong passwords, unique credentials, password managers, MFA, and passkey adoption, businesses can significantly reduce their exposure to phishing, credential theft, and account compromise.
At Giraffe, we encourage organisations to take proactive steps today to protect their systems, employees, and customers from evolving cyber threats.