Have you ever had “password rage”? You know, shouting at your computer screen, swearing or throwing a tantrum because you can’t remember a password?

If your answer is yes, you’re not alone. Even computer security professionals suffer from it. In a 2015 poll at an IT security conference, one-third of respondents admitted to feeling this way.

It’s understandable. Being forced to create and remember a random string of letters, numbers and special characters for dozens of personal and professional accounts can be maddening. It inevitably leads to bad password practices: reusing the same password again and again for different accounts, writing passwords down, or worse, using easy-to-remember words — such as “password.” And in implementing these bad practices, we could be opening the door for cybercriminals to gain access to our financial data or other personal information.

A recent inspection undertaken in my office at the Interior Department illustrates the risks. Our team tested whether the department’s password controls were effective at preventing a malicious actor from gaining unauthorized access to its systems. To accomplish this, we used a common technique known worldwide, spending less than $15,000 on a system designed to crack passwords using free, publicly available software and a custom word list.

And guess what? We successfully cracked more than 18,000 — or 21% — of the department’s passwords, nearly 14,000 in the first 90 minutes of testing alone. The hacked passwords included those for hundreds of accounts belonging to senior department officials and hundreds belonging to employees with elevated privileges, such as system administrators. Some of our findings were surprising, given that we were testing government systems containing potentially high-value information. For instance, “Password-1234” was the most commonly used password. In fact, five of the top 10 passwords included some variation of the word “password,” along with “1234.”

Even so, 99.99% of the hacked accounts met the department’s password complexity requirements, which included the string of letters, numbers and special characters that every computer user is so familiar with. In other words, 99.99% of the passwords our team hacked were considered strong enough to thwart a hacker.

Why should you care about this problem with passwords at the Interior Department? My sneaking suspicion is that Interior employees are no different from most Americans in how they use passwords, so if this problem exists in my department, it could exist across the federal government and in business offices and private homes nationwide.

But here’s the good news: There are solutions.

We made two recommendations to the department, but they apply equally to anyone using a computer at a nongovernment job or at home. First, we recommended that the department adopt multifactor authentication across all IT systems. MFA is the gold standard for cybersecurity. It refers to the use of at least two factors to access computer systems. The factors usually fall into three categories: something you have (a digital token), something you know (a password) and something you are (a fingerprint or retinal scan). MFA requires at least two of those factors, such as a fingerprint plus a password.

MFA is already required on all federal systems — and has been for decades. It’s not a new technology; various forms of it have been in use in private industry for 35 years. But our inspection showed that the department didn’t enforce MFA on an unknown number of systems. In fact, we found that nearly 90% of Interior’s high-value IT systems allowed MFA to be bypassed or permitted authentication through passwords alone. We therefore recommended that the department prioritize implementing MFA and requiring MFA methods that cannot be bypassed on all its systems.

Second, where MFA cannot be currently implemented, we recommended that the department move away from passwords and toward passphrases.

Here’s why: As we’ve come to rely on passwords more and more in our daily lives, bad actors have become better and better at defeating them. This has created a “negative feedback loop”: As password policies require more complexity, remembering passwords becomes more difficult, leading users to turn to simple, easy-to-remember patterns. According to the National Institute of Standards and Technology — the primary U.S. government agency for cybersecurity measurement, research and standards development — these common patterns have become easy targets for hackers, leading to additional password complexity requirements, in a never-ending cycle.

To make matters worse, passwords are not only hard to remember but also have the added benefit of being ineffective: Even complex passwords are remarkably easy for computers to guess. A computer can hack a password such as “5pr1ng*ish3re” relatively quickly. The better choice is a more easily remembered passphrase that strings together several unrelated words totaling more than 16 letters, such as “DinosaurLetterTrailChance.” Though a computer can break a complex password in days, if not hours, it could take the same computer centuries or even millennia to crack a passphrase. It’s counterintuitive, but the facts are clear: Passwords are hard for a person to remember and easy for a computer to crack, while the opposite is true of passphrases.

I’m looking forward to the day when we have successfully achieved widespread adoption of these two best practices. Then we can all be more secure — and avoid P@s$w0rdR@ge.

Mark Lee Greenblatt is inspector general for the Interior Department and chair of the Council of the Inspectors General on Integrity and Efficiency.