How can we help you?

View Categories

Password Guidelines and Best Practices

3 min read

Table of Contents

Nearly every website or service out there requires you to come up with a password and sign up for an account to access content. You may be tempted to rush the sign up process using passwords that are easy to remember and easy to type; you might even have a common password you use across multiple websites. This is highly discouraged.

In this article, we’ll take a look at some of the best practices for password security to ensure your accounts remain YOUR accounts.

Password Rules #

  1. In general, a password should be at least 8 characters long. Of course, the longer the better. The more characters a hacker has to crunch, the harder it is to guess.
  2. A password should contain characters from at least 2 different character classes (upper, lower-case, letters, symbols, numbers, etc…)
    1. Ideally you should try your best to include characters from each character class.

Suggestions for Creating Effective Strong Passwords #

  • Remove all the vowels from a short phrase in order to create a “word.”
    Example: llctsrgry (“All cats are gray”)
  • Use an acronym: choose the first or second letter of your favorite quotation.
    Example: itsotfitd (“It’s the size of the fight in the dog”)
  • Mix letters and non-letters in your passwords. (Non-letters include numbers and all punctuation characters on the keyboard.)
  • Transform a phrase by using numbers or punctuation.
    Examples: Idh82go (I’d hate to go), UR1drful (you are wonderful).
  • Avoid choosing a password that spells a word. But, if you must, then:
    • Introduce “silent” characters into the word. Example: va7ni9lla
    • Deliberately misspell the word or phrase. Example: choklutt
    • Choose a word that is not composed of smaller words.
  • Add random capitalization to your passwords. Capitalize any but the first letter.
  • Long word and number combinations. For example, take four words, and put some numbers between them: stiff3open92research12closer
  • An acronym for your favorite saying, or a song you like.
    Example: GykoR-66 (Get your kicks on Route 66) or L!isn! (Live! It’s Saturday Night!).
  • An easily pronounced nonsense word with some non-letters inside.
    Example: slaRoo@Bey or klobinga-dezmin.
  • Change your password at least once a year. Better yet, change your password every few months to shrink your exposure window. You can make three or four passwords if you like, then switch them throughout the year.
  • Don’t use the same password on multiple accounts. When one site is compromised, hackers try to use those passwords to access accounts on other sites. Don’t let one break-in give hackers access to all your accounts.

Passphrases #

Use a passphrase instead of a password. A passphrase is just a sentence, including spaces, that you use instead of a single pass word. These phrases should be at least 15 characters in length (spaces count as characters), but no less. The longer the phrase is the better. Even if a phrase looks simple, the increased length provides so many possible permutations that a standard password-cracking program will not be effective. Even when using a passphrase, it is still a good idea to throw in elements of nonsense, or randomness.

Your passphrase should never contain information that could identify you personally, such as Social Security numbers, phone numbers, credit card numbers, birth dates, usernames, email addresses, etc… Instead, use a phrase that has enough meaning to you that you’ll remember it easily – then mix it up.

Password Managers #

Because of the sheer number of passwords that you need to keep track of today, it will be tempting to use the same password for everything. To keep your accounts secure, consider using a password manager that will keep track of these complex passwords for you. That way you only have to remember a single Master Password to gain access to every password. Of course, this may sound like less security. You may ask: “If a hacker gets my master password, they have all of my passwords right?”

Yes, if the master password is comprised it is possible that all of the passwords could become compromised. However, there are some steps to take to mitigate this risk:

  • Use a VERY strong password for the master password. (See “Suggestions for Creating Effective Strong Passwords” above).
  • Change the master password regularly; how regularly is up to you though a general guideline is every 6 months.
  • If available, enable Two-Factor Authentication on the password manager application. This will ensure that a breach of the master password itself cannot provide a hacker access to the entire password list.
  • Don’t use the master password anywhere else (another website or service). Ensure it is unique to the password manager only.

Password Manager Options #

  • LastPass – browser-based password manager; has extensions for all of the major web browsers; stores passwords in your LastPass account and syncs across browsers.
  • 1Password – browser-based password manager; basic personal plan @ $2.99/month
  • Dashlane – Password manager with browser, desktop, and mobile apps; basic personal plan is free but only stores up to 50 passwords.
  • KeePass – open-source password manager; completely free; stores passwords in an offline file that is accessible only be the KeePass application. Can be synced to various devices.
  • RoboFarm – browser-based password manager.
best-practices, security

Powered by BetterDocs

Scroll to Top
Background vector created by starline - www.freepik.com