Blog articles

New normal: Today's best practices for passwords

By Richard Harpur

Password best practices have changed over the last decade, yet many companies and users alike have been stuck using outdated guidelines. 

Here are the latest password best practices for organizations today:

  1. Use standalone or integrated password testing tools to check password quality, instead of relying on complex alphanumeric and symbol characters.
  2. Allow password length to be at least 64 characters long, rather than limiting length to 8-10 characters.
  3. Stop forcing regular password changes, as most users only alter existing passwords incrementally, which makes for a weak password.
  4. Forget using hint questions for password recovery since social media and a lack of data privacy help hackers easily find the answers.
  5. Encourage the use of password managers, and allow copy & paste in the data entry fields.
  6. Turn on multi-factor authentication (MFA) to add another layer of protection by confirming logins (55% of respondents don’t even use two-factor authentication at work).


Additionally, individual users should be using the following password best practices:


  1. Never give away login credentials, not even to someone in the IT department (69% of respondents share their passwords with their colleagues).
  2. Stop using the same password for various accounts (51% reuse passwords across both their business and their personal accounts).
  3. Create passwords that are at least 16-characters long.
  4. Use a phrase rather than a single word, and add symbols throughout.
  5. Don’t use any personal information, such as a birthday, pet name, maiden name, etc.
  6. Store all passwords in a password manager.

Outdated Password Best Practices

Some outdated password “best” practices are well known, but are they still the best? Over the past few decades, most companies have implemented what they consider to be fundamental password criteria. 

These generally include:

  • Ensuring complex passwords are composed of alphabetic (uppercase and lowercase) and numeric characters in addition to special symbols and similar characters

  • Forcing users to change passwords regularly

  • Requiring new passwords not previously used by the user

These guidelines are so widely accepted that we see them specified in the Payment Card Industry Data Security Standard (PCI DSS). But, as with all mature technology policies, it’s important to stand back from time to time and evaluate if they still make sense in our evolving environment. We’re due to unlearn some of the password best practices we have become accustomed to for decades, and apply a new normal to password management practices. 

The fact is, 57% of people have not changed their outdated password behaviors to help them avoid a phishing attack. Part of the reason is because people are tired of spending 10.9 hours per year entering and/or resetting passwords. Therefore, if password practices don’t change, companies and people are increasing their risks for a computer security breach. 



Updated Password Best Practices

The National Institute for Standards and Technology (NIST) has published a revised set of Digital Identity Guidelines which outlines what is considered password best practices for today. We won’t cover all four volumes of the NIST publication, but I strongly recommend you review them. 

Some of the specific topics that are covered include:

Let’s have a look at some of the most commonly implemented password best practices when it comes to security, and compare them with the latest recommendations.

      Variation of Alphanumeric Characters

It seems like we’ve forever been forced to pick passwords which contain a variation of numbers, upper- and lowercase letters, and special characters to make a password complex. However, NIST has stated this doesn’t lead to stronger passwords and the practice should be replaced by more dynamic support for password selection.

NIST recommends that organizations support users in selecting better passwords by checking chosen passwords against known weak passwords and leaked breach data. If you can’t perform in-line password checks as users generate or change their passwords, then be sure to provide very regular password strength checking. The availability of tools such as HashCat and similar password testing tools makes a quality check for password selection fairly easy. 

We can also see that some vendors are integrating such functionality into their products. Microsoft, for instance, has added a “Risky Login” flag for users who log in to their Azure Active Directory using leaked credentials. Look for new functionality in your user account management system, as some other vendors are starting to integrate this functionality.


8-10 Characters Long

We’ve all come across examples where your password could be no shorter or longer than 8-10 characters. This can be seen in some of the larger organizations globally, no doubt because of restrictions with legacy systems. 

It’s time to drop forced composition rules in favor of longer passwords. NIST is clear in its recommendations for password length. It suggests that passwords of at least 64 characters should be allowed. Lengthier phrases trump shorter gibberish passwords when it comes to security, and can also be easier to remember. Most of us would have an easier time remembering something like RetailTherapyBut!mBroke for our favorite shopping site, compared to something like a@d!lz98pL.

Forced Regular Password Changes

NIST has deprecated the widely-adopted practice of regularly changing your password, in case hackers have information without your knowledge. The argument against this practice lies with the human trait to select a password sequence or pattern to ease the workload of remembering passwords. So, what a user tends to do is add a number or other incremental character at the end of their current password each time they are forced to change it. This makes for a weak password.



Password Hints

A popular trend to recover forgotten passwords is allowing users to reset passwords if they successfully answer a hint question, like the make of their first car or their favorite teacher. The quality of hint questions can often leave a lot to be desired. Poor levels of entropy combined with all the personal data now shared on social media weakens the use of password hints.

NIST advises us to stop using hint questions as a means to help users recover account access. A more advanced form of password security is multi-factor authentication. Apple uses it and many other organizations offer it as well. This non-password based method used to log into systems allows the identification of someone based on their face, retina, hand or fingerprints, heartbeats, voices, location, time, and digital certificate, USB hardware token, and more. The added layers of protection lower the risk of hacking.

No Cut & Paste

Bizarrely, some sites currently prevent users from pasting their passwords into form fields, thereby breaking the automated use of password managers. 

The use of password managers should be encouraged and supported by ensuring users can paste into password data entry fields. Password managers (also called password vaults), generate, synchronize, back up, and store passwords across multiple software and devices. This is all done in an encrypted form for powerful added security.

Some password manager options include:


As Security magazine reported, 80% of hacking-related breaches are tied to stolen or reused credentials, so securing employee access has never been more important.

Are you and your business practicing these updated password best practices? If not, we at Pluralsight encourage you to do so, for security’s sake.

About the author

Richard Harpur is a highly experienced technology leader with a remarkable career ranging from software development, project management through to C-level roles as CEO, CIO, and CISO. Richard is highly rated and ranked in Ireland's top 100 CIOs. As an author for Pluralsight - a leader in online training for technology professionals - Richard's courses are highly-rated in the Pluralsight library and focus on teaching critical skills in cybersecurity including ISO27001 and Ransomware. As a Certified Information Security Manager (CISM) Richard is ideally positioned and passionate about sharing his extensive knowledge and experience to empower others to be successful. Richard also writes extensively on technology and security leadership and regularly speaks at conferences. When he is not writing for his blog Richard enjoys hiking with his wife and 4 children in County Kerry, the tourist capital of Ireland. You can reach Richard on twitter @rharpur.