In November 2024, Okta disclosed a vulnerability that allowed users to bypass password verification for usernames exceeding 52 characters under specific conditions. The flaw, present since July 2024, was rectified by switching from the Bcrypt algorithm to Password-Based Key Derivation Function 2.

Given the success of these attacks, should organizations use password managers? As the examples above illustrate, they are vulnerable to attacks. On the other hand, asking users to manage passwords in their heads is also risky.

If your organization opts to use a password manager, carefully evaluate real use cases, and discuss how a breach could affect sensitive data. Most experts agree that password managers are indeed safe but not impenetrable. Be sure to assess vendors and products carefully, and only choose an enterprise-grade option. Look for advanced encryption, MFA and other emerging features, such as behavior analysis.

If your organization feels password managers aren't worth the risk, consider NIST's Special Publication 800-63B-4. It recommends doing away with password complexity requirements, such as special characters, numbers, uppercase, etc. NIST also suggests companies eliminate the requirement that passwords must be renewed on a set schedule and only reset passwords if they have been breached.

These pointers, if adopted, de-escalate the password creation side of the arms race. Now, that doesn't mean users are off the hook. Looking at the science of creating strong passwords, length eclipses complexity quickly. It is better to have a long, simple password than a short, complex one. Therefore, it makes sense to implement passphrases that are easy to remember. Think "how now brown cow" or "the squirrel stockpiles acorns."

Ushering in less complex -- and more usable -- passwords might even make it possible for organizations to get rid of their password managers altogether, leaving their safety a moot point.