Password Security Best Practices for 2024

Published 2024-02-01 by TechNet Team

Password guidance has evolved significantly. The old rules of complex passwords changed every 90 days have been replaced with more practical, security-focused approaches.

Current Best Practices

• Length over complexity: A 16+ character passphrase is more secure than an 8-character complex password
• Unique passwords for every account: Never reuse passwords across sites
• Use a password manager: Tools like 1Password, Bitwarden, or LastPass make this manageable
• Enable MFA everywhere: Passwords alone are not enough
• Don't change passwords arbitrarily: Change only when there's a reason (breach, suspected compromise)

Creating Strong Passphrases

A passphrase uses multiple random words, making it both secure and memorable:

• Use 4+ random, unrelated words
• Add numbers or symbols between words if required
• Example: "correct-horse-battery-staple" (but don't use this one!)
• Avoid common phrases, song lyrics, or quotes

Password Manager Benefits

• Generate truly random, unique passwords for every site
• Auto-fill credentials securely
• Identify weak or reused passwords
• Alert you if passwords appear in data breaches
• Securely share passwords with team members when needed

Multi-Factor Authentication (MFA)

MFA adds a second verification step, dramatically reducing account compromise risk:

• Best: Hardware security keys (YubiKey, etc.)
• Good: Authenticator apps (Microsoft Authenticator, Google Authenticator)
• Acceptable: SMS codes (better than nothing, but vulnerable to SIM swapping)