...
- Length over Complexity: NIST advises using long passwords, recommending a minimum of 8 characters for user-generated passwords and at least 12 6 characters for system-generated ones. Complexity (like mixing letters, numbers, and symbols) is less emphasized than length.
- Avoiding Common Words and Phrases: Passwords should not include easily guessable or common information like names, dates, or simple patterns.
- Screen New Passwords Against Commonly Used Choices: Organizations should check new passwords against lists of commonly compromised passwords to prevent users from picking easily hackable options.
- Eliminate Periodic Resets: NIST and Microsoft suggest doing away with routine password changes unless there's a known security issue. This counters previous advice, as frequent changes often lead to weaker password choices.
- Encourage Passphrases: Passphrases, which are longer and can be more memorable phrases, are recommended over traditional passwords for better security and usability.
- Implement Multi-Factor Authentication (MFA): MFA adds an extra layer of security, requiring a second form of identification beyond just a password.
- User-Friendly Password Recovery: Options for password recovery should be straightforward and secure, avoiding security questions with easily researchable answers.
...