
Ask HN: What are some guidelines for good passwords - ferros
I&#x27;m looking to establish some password guidelines for my organization.<p>Trying to find the balance between secure enough, and not so strict that the guidelines are prohibitive and lead to abandonment.<p>Is there a sweet spot?
======
bradknowles
Generally speaking, my advice is simply don’t use passwords at all. Use other
methods that allow you to avoid them.

Any password that is chosen and easy enough to remember by a human being is
one that is weak enough to be easily cracked, perhaps by well-known methods,
or perhaps by more recent ones.

Let computers do what they do reasonably well, and don’t try to make humans do
that job.

Specifically, one key is to use hardware tokens that have been tested and
proven to be reasonably robust. You have to tie them into your authentication
system, but hopefully that’s not too hard.

What about biometrics?

Well, don’t use biometrics as a password, because your finger or your eyeball
can get taken from you, and you wouldn’t like the after effects. More
importantly, if the biometrics for your finger or eyeball become compromised,
then how do you change them? All of my fingerprints were compromised in the
OPM data breach, because I worked for the DoD, and OPM was where all that
information was stored. I’m sure there have been other major breaches of
biometric data.

Biometrics, if you’re going to use them at all, are best used as the
equivalent of a username. They identify who you claim to be, but they
explicitly do not authenticate you. You may have my fingerprints, but my
username is already pretty well known, and so having my fingerprints would be
unlikely to help you there.

What else?

After all that, if you still have to use passwords, then try to use them as
the final layer of security on top of all of the above. Don’t be dependent on
them for your only security.

And where possible, use a good password manager program to remember and
generate all of them for you, so that you minimize the human weakness of that
part of the chain.

------
ecesena
This is a good summary of the NIST recommendations [1, Sec 5.1] found in [2].

Dropbox released a library [3] that's easy enough to configure to add your own
black list (e.g., your company name, your public wifi password, etc.)

Finally, my recommendation is to enforce same password between laptop and web
tools, and use SSO wherever possible.

Password requirements:

\- 8-char minimum and 64-char maximum length

\- The ability to use all special characters but no special requirement to use
them

\- Restrict sequential and repetitive characters (e.g. 12345 or aaaaaa)

\- Restrict context specific passwords (e.g. the name of the site, etc.)

\- Restrict commonly used passwords (e.g. p@ssw0rd, etc.)

\- Restrict passwords obtained from previous breach corpuses

[1]
[https://pages.nist.gov/800-63-3/sp800-63b.html](https://pages.nist.gov/800-63-3/sp800-63b.html)

[2] [https://spycloud.com/new-nist-guidelines/](https://spycloud.com/new-nist-
guidelines/)

[3] [https://github.com/dropbox/zxcvbn](https://github.com/dropbox/zxcvbn)

------
vladojsem
1.) Create long password - it can be even short sentence, it is also easier to
remember.

2.) Add at least one uppercase, one lowercase, the number and special
character.

3.) Do not use any personal information or something that is easy to guess.

4.) Don't reuse passwords - use unique password for each account.

