Researchers warn short, simple passwords remain widespread, while proper tools and stricter rules are essential for improving overall credential strength.