Password Strength Best Practices
Good passwords should use a minimum of 12 to 14 characters if permitted. For security-critical systems, we recommend using 16-character randomly generated passwords.
Passwords should include lowercase and uppercase characters, numbers, and special characters with equal probability. This does not mean that every password should contain all of them. Instead, the equal probability of having them is what matters. However, many applications require having at least one character from each category.
Passwords should ideally be generated at random when possible. We recommend our browser-based, fully auditable online password generator. It never sends the password over the network.
Using the same password on multiple systems should be avoided. In particular, important systems should each have their own password.
Passwords should ideally not contain any elements associated with the user. No relatives' names, no pet names, no birth dates, no social security numbers, no part of the user's address, no part of the user name, nothing that can be associated with anything the user knows.
Passwords also should not be simple combinations of words, unless the words are randomly selected.
While some sources recommend not writing passwords down, in practice it is impossible to remember many random passwords. Writing them down may be a good practice, as long as the list is kept protected (e.g., in a safe). Using password manager software may also make sense. However, use of cloud-based password managers should be avoided and can be risky, especially for security-critical uses.
We at SSH Communications Security recommend businesses go passwordless instead. Passwordless authentication methods are becoming more common, and they offer many benefits over traditional vaulting, rotating and managing passwords.