What is the Industry Standard for Passwords? As you can imagine, passwords are always a hot topic of discussion both in and out of computer security circles. IT Master Services understands that users have always hated being forced to come up with schemes to meet the complexity rules or change their password at defined intervals. The multitude of password requirements of the past have frustrated users and have led to bad behaviors which time after time led to compromised passwords and resultant data breaches. We summarize the most important parts of the NIST’s password advice below. It varies from obvious rules such as uniqueness requirements through to password complexity requirements. It’s a solid basis on which to build a password security policy. What is the Industry Standard for Password Policy? Minimum password length is 8 characters. Password must meet complexity requirements. Password should contain all of the following character types: a lower case letter ( a b c d ...) an upper case letter ( A B C D ...) number (0 1 2 3 4 5 6 7 8 9 ) a special character ( = + * $ ? ) ( ! , . @ ) Do not use password hints Randomly generate your passwords – a randomly generated password is unlikely to be in a password dictionary and will be difficult to guess. You have plenty of options to randomly generate a password, think org or even Norton’s website. Use two-factor authentication (2FA) whenever you can – there is an almost unlimited number of ways in which passwords can be hacked. However, with 2FA, even if a password is hacked, a hacker cannot enter an account without the second authentication factor. This could be biometric data, a key fob or something like Google’s Authenticator Here are some examples of good and bad passwords Here some exampels of good complex passwords. These will meet the password complexity requirements of even the most stringent of security policies. iLT@#121 GKrupos#24! GFysdh%1& Here are some examples of password you should NOT use include: Password12 ILikeTurtles77 KickRocks22