SURVEY SAYS: What Are Your Password Practices

PLANSPONSOR NewsDash readers shared whether they and their companies are using recommended password practices.

I recently asked NewsDash readers, “Does your company require you to change your passwords regularly and use complex password standards?” I also asked, “Are you implementing these practices in your personal use of web and digital applications?”

Sixty-one percent of responding readers work in a plan sponsor role, 23% work for recordkeepers/TPAs/investment consultants and 16% are advisers/consultants.

The majority of responding readers (72%) said their companies require employees to change their passwords for both work computers and applications on a regular basis. Nearly two in 10 (19%) reported that their companies only require this for computers, 3% indicated it is only required for applications and 3% said their companies do not require passwords for computers or applications to be changed on a regular basis.

The use of complex password standards (longer passwords using numbers, uppercase and lowercase letters and special characters) are required on the computer and all applications at 78% of respondents’ companies. Thirteen percent said complex password standards are not required, while 3% indicated they are required on all applications but not the computer and 6% said they are required on some applications.

As for personal practices, more than half (53%) of respondents said they change their passwords regularly for some web and digital applications, and one-quarter do so for all. More than two in 10 are not regularly changing passwords.

Two-thirds (66%) of respondents use complex password standards for personal use in some instances, 31% do so in all instances, and 3% do not.

More than one-third of respondents write down passwords to remember them. Password managers and memory are each used to recall passwords by nearly one-quarter (24%) of respondents. Six percent indicated they use all three methods.

A few readers shared lots of tips for creating passwords and for overall digital security. For example, one reader uses the first letters of words in a quote; another uses a personal affirmation. One reader recommends a password manager for helping to create a complex password, while another said they are not sure how secure password managers are. Instead of a password manager, one reader keeps all passwords in a password-protected document. But, like they said, “If I ever forget that password, I am sunk!” Editor’s Choice goes to the reader who said: “THERE ARE TOO MANY PASSWORDS, but I know they are necessary. Between work and home, there must be about 45 to keep track of. UGH.”

A big thanks to everyone who participated in the survey!


I use a saying that someone coined or used regularly then make my password the first letters of the words. For example, Henry Ford said: “Whether you think you can or you think you can’t, you’re right.” Your password would then be “wytycoytycyr” then throw a number in somewhere. The number could be the number of letters you’re using or the date you set it up (so you have an idea when it will expire). Our company requires that PW’s change every 60 days and have at least 16 characters/numbers. I change my personal passwords about every 6 months.

My company requires a password of at least 14 characters – and it is a challenge to come up with (and remember) a new one every 90 days.

I recommend a password manager. The manager can make up complex passwords for you. A password manager will not be fooled into entering your password into a spoofed website.

The best option is to use a minimum of 13 characters for passwords. Have fun with creating the password as the mix of letters, numbers, special characters so they spell a word – red umbrella = r3DUm&re!!@. Mostly, it is beneficial, especially for personal use, to change the password every 90 days. Set a reminder and update.

As our password requirements got longer, I decided I’d use a personal affirmation, altered with numbers and characters, so that I can both remember the password, and affirm a goal or belief each time I log in.

Use at least 24 numbers letters and symbols

I also make sure that I never do anything on social media that may reflect answers to my security questions. In addition, I log into all of my accounts a least once a month to check activity/change passwords, have opted into MFA [multi-factor authentication] wherever available, don’t autosave my passwords, only shop when on VPN [virtual private network], have different passwords for all of my accounts and subscribe to more than one service that looks for data breaches/dark web activity of my information, etc.

Some websites are ridiculous—look, all I want to do is look up a recipe and my password isn’t STRONG enough? What’s gonna happen if my recipe password is compromised?

I am not sure how safe password managers are.

THERE ARE TOO MANY PASSWORDS, but I know they are necessary. Between work and home, there must be about 45 to keep track of. UGH

Company requires password changes every 90 days. No requirements for complexity. We do use multifactor authentication for most applications. I used to try to memorize passwords, but with the proliferation of applications requiring them and the advice not to repeat passwords, there are way too many to remember. I store them on a password protected document. If I ever forget that password, I am sunk!


NOTE: Responses reflect the opinions of individual readers and not necessarily the stance of Institutional Shareholder Services (ISS) or its affiliates.