Password guidance has evolved significantly. The old rules of complex passwords changed every 90 days have been replaced with more practical, security-focused approaches.
Current Best Practices
- Length over complexity: A 16+ character passphrase is more secure than an 8-character complex password
- Unique passwords for every account: Never reuse passwords across sites
- Use a password manager: Tools like 1Password, Bitwarden, or LastPass make this manageable
- Enable MFA everywhere: Passwords alone are not enough
- Don't change passwords arbitrarily: Change only when there's a reason (breach, suspected compromise)
Creating Strong Passphrases
A passphrase uses multiple random words, making it both secure and memorable:
- Use 4+ random, unrelated words
- Add numbers or symbols between words if required
- Example: "correct-horse-battery-staple" (but don't use this one!)
- Avoid common phrases, song lyrics, or quotes
Password Manager Benefits
- Generate truly random, unique passwords for every site
- Auto-fill credentials securely
- Identify weak or reused passwords
- Alert you if passwords appear in data breaches
- Securely share passwords with team members when needed
Multi-Factor Authentication (MFA)
MFA adds a second verification step, dramatically reducing account compromise risk:
- Best: Hardware security keys (YubiKey, etc.)
- Good: Authenticator apps (Microsoft Authenticator, Google Authenticator)
- Acceptable: SMS codes (better than nothing, but vulnerable to SIM swapping)
Share this article:
Need Help With Your IT?
Our team of experts is ready to help you implement the strategies discussed in this article. Whether you need cybersecurity assessments, cloud migration support, or managed IT services, we're here to help.