Cybersecurity
Updated 4 days ago | GitHub

Strong Passwords

Strong passwords are more difficult to guess using Brute Force and Dictionary Attacks.

Strong passwords are not just for users. Admins and developers need strong passwords most of all. Administrative accounts are far more valuable than user accounts. They have elevated privileges and access to more hardware, software, and information resources.

A strong password is long.

A longer password exponentially increases the search key space and is the single biggest factor in resistance to Brute Force and Dictionary Attacks. Per NIST SP 800-63B (Rev. 4):

  • When a password is the only authenticator, require a minimum of 15 characters.
  • When a password is part of multi-factor authentication, require a minimum of 8 characters.
  • Allow passwords up to at least 64 characters and accept all printable ASCII and Unicode characters (including spaces) so that users can use long passphrases and password manager output.

Do not impose composition rules.

It is tempting to require a mix of uppercase, lowercase, digits, and symbols. NIST SP 800-63B Rev. 4 explicitly forbids this: verifiers “SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.” Composition rules push users toward predictable patterns (e.g. Password1!) and provide far less security than additional length.

Instead, screen submitted passwords against a blocklist of compromised or commonly-used passwords (for example, the Pwned Passwords k-anonymity API), and reject matches.

A strong password avoids common weaknesses.

Avoid dictionary words. Dictionary words make passwords too easy for Dictionary Attacks to guess.

Avoid patterns such as keyboard, letter, or number sequences. For example, “qwerty”, “abcde”, or “1234567890”.

Avoid using any personal information which could be known by friends or discovered through research. This includes information related to family, pets, college, hobbies, or sports teams.

A strong password is random.

It is more secure to pick a random sequence of characters. Computers are far better at generating truly random strings than humans. The most durable option is to use a password manager’s built-in generator — CISA recommends this approach explicitly, and notes that most modern web browsers also ship with a built-in password manager that can generate strong, unique passwords. For ad-hoc use, the command line also works: for example, openssl rand -base64 32 prints a fresh 32-byte random value as a base64 string. Prefer these over third-party “password generator” web sites, whose hosting and provenance can change without notice.

A strong password is unique.

Do not re-use passwords. Having many internal systems which all use the same password allows an attacker who has gained access to one set of credentials to move around freely within a network.

Passwords used for internal systems should never be re-used on other sites or services. The security of their data is not under your control. This is one of the primary ways in which credentials are obtained.

Password Managers

Long, random, unique passwords are often avoided because they are difficult to remember. Passwords can be stored in a password manager so that they do not need to be remembered.

Requiring Password Updates

Older policies required users to change their password on a regular schedule (every 60 or 90 days). Current guidance is the opposite: NIST SP 800-63B Rev. 4 states verifiers “SHALL NOT require subscribers to change passwords periodically.” Routine rotation pushes users toward weaker, easier-to-remember choices and predictable mutations of the previous password. Force a change only when there is evidence the password has been compromised — for example, it appears in a known breach corpus or the account shows suspicious activity.