I’ve written about what I consider the best current password advice for websites and services you need to keep secure. In a nutshell, here’s the advice again:
- Use multi-factor authentication (MFA).
- Where MFA is not an option, use password managers, creating unique, long-as-possible, random passwords for each website or security domain.
- Where password managers aren’t possible, use long, simple passphrases.
- In all cases, don’t use common passwords (e.g., “password” or “qwerty”) and never reuse any password between different sites.
This advice might appear to go against my simultaneous support of NIST Special Publication 800-63 Digital Identity Guides. NIST SP 800-63 recommends using non-password methods where possible, and although the recommendations are definitely against forcing users to use very long and complex passwords, they don’t limit password length or complexity.
