Password best practices have changed over the years. Complex password policies have caused users to act in predictable ways, resulting in less secure passwords.

^xkcd webcomic by Randall Munroe

The National Institute of Standards and Technology (NIST) develops information security standards that federal agencies must follow, and it’s guidelines are often used across the security industry. It now recommends removing password complexity and periodic change requirements for users, as they have shown to be counterproductive.

The National Cyber Security Centre (NCSC) is the United Kingdom’s independent authority on cybersecurity. It recommends focusing on password length over complexity and has suggested the use of three random words as a password.

Here are some guidelines users can follow for creating passwords:

Do NOT…

  • Store passwords in plain text. This means do not write them down or store them unencrypted, such as in a spreadsheet

  • Use single dictionary words

  • Use obvious character substitutions (@ for a)

  • Use sequential characters (“123456” or “qwerty”)

  • Use personal information (names, pets, dates, etc.)

  • Reuse passwords. This includes just changing part of it (passwd01 to passwd02)

  • Honestly answer security questions

  • Change password often

Do…

  • Use at least eight characters and combination of character types

  • Use a unique password for every account

  • Use a password generator to make random passwords

  • Use a password manager

  • Use SSO

  •  Use multifactor authentication

Password Managers

If you are not using a password manager, now is the time to start. They store passwords securely, use end-to-end encryption, and remove the complexity of managing passwords. Most, if not all, have a password generator and some can automatically check your credentials against known security breaches and alert you. Enterprise editions will support shared passwords for your teams at work.

Curious if any of your online accounts have been compromised in a data breach? Check your accounts and passwords against those previously breached:

https://haveibeenpwned.com/

https://haveibeenpwned.com/Passwords

Read our blogs about hardware maintenance here!

sign up for our monthly blog newsletter: