Password Best Practices

Weak passwords remain one of the top causes of data breaches. The rules you learned ten years ago (eight characters, one uppercase, one number, one symbol) are outdated. Modern guidance from NIST (the National Institute of Standards and Technology) has shifted significantly. Here is what actually works.

Length Over Complexity

A 16-character password made of four random words is dramatically harder to crack than an 8-character password with special characters. Here is why:

• P@ssw0rd! - 9 characters, meets traditional complexity rules, but it is one of the most commonly used passwords in the world. An attacker's dictionary cracks it in seconds.
• correct horse battery staple - 28 characters, easy to remember, and would take a brute-force attack an impractically long time to crack.

NIST now recommends passwords (or passphrases) of at least 12 characters, with 16 or more being ideal. Length provides exponentially more security than complexity. A 20-character lowercase passphrase is stronger than an 8-character password with uppercase, lowercase, numbers, and symbols.

Use a Password Manager

The human brain cannot remember unique, strong passwords for the dozens of accounts we all maintain. Password managers solve this problem completely.

• What they do: Generate, store, and auto-fill unique passwords for every account. You remember one strong master password, and the manager handles the rest.
• Recommended options: Bitwarden (open source, free tier available), 1Password (excellent for teams), and the built-in managers in your browser (acceptable but less feature-rich than dedicated tools).
• For businesses: Choose a password manager with team features: shared vaults for service accounts, admin controls, activity logging, and the ability to revoke access when someone leaves.
• Common objection: "But what if the password manager gets hacked?" Password managers encrypt your vault with your master password. Even if the company's servers are breached, the encrypted vault is useless without your master password. This is still far safer than reusing passwords or writing them on sticky notes.

Multi-Factor Authentication (MFA) Everywhere

MFA is the single most important thing you can do to protect your accounts. Even if your password is stolen, MFA prevents the attacker from logging in.

• What it is: Requiring a second form of verification beyond your password. This is typically a code from an authenticator app, a push notification, or a physical security key.
• Where to enable it: Email, banking, cloud services, social media, password manager, VPN, remote desktop, and any system that contains sensitive data. If a service offers MFA, turn it on.
• Best methods (in order of security):
  1. Hardware security keys (YubiKey, Google Titan) - most secure, resistant to phishing
  2. Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) - strong and practical for most businesses
  3. SMS text messages - better than nothing, but vulnerable to SIM swapping attacks. Use this only if no other option is available.
• For healthcare organizations: HIPAA does not explicitly require MFA, but the OCR (Office for Civil Rights) has made it clear through enforcement actions that MFA is expected for any system accessing ePHI. Treat it as required.

Never Reuse Passwords

Password reuse is the reason that a breach at one website can compromise your bank account, your email, and your work systems.

• When a website gets breached (and they do, regularly), attackers get your email and password combination
• They automatically try that same email and password on hundreds of other services (banks, email providers, cloud apps). This is called credential stuffing.
• If you used the same password on your work email, your personal email, and your bank, all three are now compromised
• A password manager eliminates this risk by generating a unique password for every account

You can check whether your email has appeared in known breaches at haveibeenpwned.com. If it has, change the password for that service immediately and for any other service where you used the same password.

Avoid Personal Information

Attackers research their targets. Information that feels private to you may be easily discoverable.

• Do not use your name, birthday, anniversary, pet's name, children's names, or address
• Do not use your favorite sports team, school mascot, or hometown
• Do not use keyboard patterns (qwerty, 123456, zxcvbn)
• Do not use common substitutions (@ for a, 0 for o, 3 for e). Attackers' tools account for these automatically.
• Social media makes it easy to find personal details. If your Facebook profile shows your dog's name is Max and you were born in 1985, "Max1985!" is not a secure password.

Passkeys: The Future of Authentication

Passkeys are a newer technology that may eventually replace passwords entirely. Here is what you need to know.

• What they are: Passkeys use public-key cryptography tied to your device (phone, laptop) and your biometrics (fingerprint, face) to authenticate you. There is no password to remember, type, or steal.
• How they work: When you set up a passkey, your device creates a pair of cryptographic keys. The public key goes to the website, the private key stays on your device. To log in, your device proves it has the private key using your fingerprint or face scan. The actual key never leaves your device.
• Why they are more secure: There is no password to phish, no password to reuse, and no password database for attackers to breach. Passkeys are resistant to phishing by design because they are bound to the specific website they were created for.
• Current status: Major services including Google, Apple, Microsoft, and many others now support passkeys. Adoption is growing but not yet universal. For now, use passkeys where available and strong passwords with MFA everywhere else.

Quick Reference: What to Do Today

1. Install a password manager and start migrating your accounts to unique, generated passwords
2. Enable MFA on your email account immediately (this is the most critical account to protect)
3. Enable MFA on all financial, cloud, and work accounts
4. Check haveibeenpwned.com and change any compromised passwords
5. Set up passkeys on services that support them
6. Share this guide with your team