February 1 is change your password day, an annual “holiday” established back in 2012, according to a blog post from Gizmodo, as a way to get a wide collection of end users to change their passwords together.

Over the course of the past seven years, though, passwords have continued to create enormous risks to enterprise security, with many users either crafting weak passwords or reusing passwords across multiple accounts.

According to a LastPass survey, 39% of consumers never change their password unless it is required. In all likelihood, people don’t change their passwords because the average user has nearly 200 accounts to keep track of, which makes changing passwords every month or quarter unrealistic, according to LastPass.

“It will take some time to upload your credentials into the password manager, but invest the time and use the password generator function to create complex, new passwords for your accounts. Using a passphrase with a combination of complex characters such as $ymB0LS drastically increases your security and protection of personal data,” said Joseph Carson, chief security scientist at Thycotic.

What matters most when it comes to password protection is length, which is why it has become more commonplace to see sites requiring a minimum of eight-character passwords. Still, “there is a long-running myth that complex phrases using characters, numbers and letters is secure. They are not. These are simply hard-to-remember phrases that are quickly forgotten and reused in multiple locations,” said Chris Morales, head of security analytics at Vectra.

Instead, Morales said simple phrases, rather than complex combinations of characters and numbers, make better passwords. “'The quick red fox jumped over the lazy brown dog' is a much stronger and infinitely easier to remember password than '1W33$^Adgfi*()tyu.'”

When it comes to enterprise protection, LogRhythm advised businesses to use multifactor authentication whenever possible to protect critical infrastructure, such as VPN and email access. Also, avoid shared accounts. Instead, create separate accounts for each user of an application so that any actions performed are properly attributed to a specific employee, which will also limit the risk of inadvertent password exposure.