Why does security awareness training change behaviour?

Effective training combines knowledge, recognition and practice (phishing simulations). Short monthly modules work better than annual sessions because repetition anchors behaviour.

How do I measure the effectiveness of my awareness programme?

Use phishing click rate as a behavioural measure, track knowledge quiz scores, and monitor the number of suspicious email reports. A drop in click rate over 6 months is a reliable indicator.

How does 2LRN4 support behaviour change?

2LRN4 links risk-based modules (per threat type) to phishing simulations and reporting. Managers see at department level how behaviour develops.

Password management best practices

A good password policy in 2026 looks different from ten years ago. Long passwords matter more than complex ones, a password manager is no longer a luxury but a necessity, and MFA is an important layer but no longer a complete shield. The future is passwordless with passkeys and hardware keys. What should employees actually do, and how do you set this up without paralysing the organisation with rules nobody understands?

Why passwords still matter, and where it goes wrong

Passwords have been the weakest link in most security incidents for years. Stolen or guessed credentials are still the most-used entry point in data breaches: an attacker buys a list of credentials from an earlier leak, tries them on hundreds of services, and gets in within seconds at employees who reuse the same password across services.

In practice password abuse comes in through three channels. Reuse across services (work and personal password are the same), weak or predictable passwords (Welcome2026!, company-name plus year), and being deliberately lured into sharing via phishing or a fake helpdesk call.

None of these three is solved by enforcing more complex password rules. On the contrary, a policy that is too strict (four uppercase, two digits, three symbols, change every 30 days) demonstrably leads to weaker behaviour: people stick passwords under the keyboard, replace P@ssword1! with P@ssword2!, and continue to reuse across services. A good policy steers the behaviour you want to see, not the feeling of control.

What a strong password actually is: length over complexity

NIST and the Dutch NCSC have been saying the same thing for several years: length matters more than complexity. A password of four or five random words ("salt-piano-shiny-river-92") is easier for a human to remember and much harder for an attacker to crack than a short string of mixed-case letters and symbols.

A workable rule for your policy: a minimum of twelve characters, no mandatory mix of special characters, no mandatory change on a fixed interval. Do check passwords against publicly known breaches (use a service like Have I Been Pwned or a built-in check from your identity platform), and on a match require an immediate change.

Also stop forcing periodic password changes. Research has shown for years that mandatory rotation makes passwords weaker, because people fall into patterns. Only change when there is a reason: suspicion of compromise, a reported breach, or the departure of a colleague with shared access.

Why a password manager is not a luxury

An average employee in 2026 quickly has more than a hundred accounts. The idea that anyone memorises a unique long password for each account is outdated. A password manager does exactly that: it generates a unique long password per service, stores it encrypted, and fills it in automatically on the correct website.

For the organisation this delivers three benefits you cannot achieve any other way: employees stop reusing passwords (because they no longer have to remember anything), phishing becomes visible (the manager will not autofill on an unknown domain), and the move to passkeys is smoother because the password manager supports both.

Offer a password manager as an organisation. It does not have to be expensive; good business options start at a few euros per employee per month. Make it optional for personal use (often included in the same licence), so employees also work more safely at home. That lowers the risk that work data sits in personal accounts.

MFA: necessary but not enough, and the move to passkeys

Multi-factor authentication remains an important layer, but is increasingly bypassed. Three techniques are routine in 2026: MFA fatigue (the attacker bombards with push notifications until someone approves), adversary-in-the-middle (the attacker sits between you and the real site and steals the session cookie), and SIM swap (the attacker has your phone number moved and receives your SMS codes).

In order of MFA strength: a hardware key (FIDO2) is strongest, followed by an authenticator app on a device you log into, then push notifications, and last of all SMS. SMS for MFA in 2026 is a last resort, not a preferred option.

The real solution is passwordless. Passkeys are cryptographic keys that stay on your device and cannot be stolen via a phishing site. The major services (Microsoft, Google, Apple, banks, government) all support them by now. For your awareness programme the message is simple: explain that passkeys are not an extra step but a strong replacement for password plus MFA, and help employees activate them the first time. Once in use they are even faster than a password.

What to do after your password ends up in a breach

Data breaches are a fact of life in 2026. Sooner or later an employee password ends up in a known list, not always through your own organisation, but through a service where they had a personal account with the same password. What then?

Change the password immediately on the affected service. And on every other service where you happened to use the same password, which we were trying to prevent in the first place.
Enable MFA if it was not on yet. It is available on virtually every modern service; turn it on.
Check the login history on the affected service. Sign out unknown sessions immediately and notify the service.
Report it to the security team if it concerns a business service. One compromise can be a stepping stone to broader access for an attacker; early reporting makes the difference between contained incident and organisation-wide ransomware.
Consider switching to a passkey where the service supports it. Replacing a password with a passkey once removes this risk structurally for that service.

How to anchor this in an awareness programme

Password management does not belong in a single one-hour training once a year. It works better as a short, recurring theme connected to what employees already experience. A practical build:

Start with a module of six to eight minutes showing what a strong password is (three to five random words), why reuse is dangerous, and how the organisation password manager works. Combine that with an internal campaign making the password manager actively available: a short instruction video, a helpdesk hour, and possibly an hour for personal-use setup.

Follow up the theme in later months with shorter reminders: a poster campaign about passkeys, a news article after a major public breach with instructions ("check whether your password was included"), and a note in the annual risk analysis about which departments still rely on classic passwords. Make the theme personal: show how employees also make their private life safer, because knowledge that works at home automatically travels to the office.

Finally, align policy with reality. A password policy that still mandates 30-day rotation is not just outdated but demonstrably counterproductive. Steer on modern principles (length, uniqueness, MFA, passkey where possible), and in communication be explicit about why you are dropping outdated rules. That builds trust in the programme far more than a new list of requirements.

From explanation to action

See how 2LRN4 turns this topic into a workable programme with training, phishing simulation and management reporting.

View the training page

Sources

FAQ

How long should a password be?

At least twelve characters. Length matters more than complexity. Three to five random words are easier for a human to remember and much harder for an attacker to crack than a short combination with uppercase letters and symbols.

Should employees change passwords regularly?

No, not automatically. Mandatory rotation demonstrably weakens passwords because people fall into patterns. Only change when there is a reason: suspicion of compromise, a reported breach, or departure of a colleague with shared access.

Is a password manager safe?

Yes. A good password manager encrypts your passwords locally with a master password stored nowhere else. The risk of one master password is negligible compared to the risk of reusing passwords across dozens of services.

What are passkeys?

Passkeys are cryptographic keys that stay on your device and cannot be stolen via a fake site. They replace password plus MFA in a single step, are faster in use and resistant to phishing and adversary-in-the-middle.

What should I do if my password appears in a breach?

Change the password immediately on the affected service and on every other service where you used the same password. Enable MFA and check the login history for unknown sessions. For a business service, always also inform the security team.

Which MFA method is the safest?

A hardware key (FIDO2) is strongest, followed by an authenticator app, then a push notification. SMS for MFA is a last resort: vulnerable to SIM swap and therefore the weakest of the common options.

Should organisations enforce password complexity?

Preferably not in the old way (mix of symbols, capitals, digits). Do require a minimum length of twelve characters and a check against publicly known breaches. Strict complexity rules demonstrably lead to weaker behaviour such as sticky notes and reuse.