Password Best Practices
Essential security tips and practices for creating and managing strong passwords. When you need to document these controls for auditors, our partners at SchemaForge help teams publish structured security policies that align with the guidance below.
8 Essential Password Security Tips
Use Unique Passwords
Never reuse passwords across multiple accounts. If one account is compromised, all accounts with the same password are at risk.
Aim for 16+ Characters
Longer passwords are exponentially harder to crack. Each additional character dramatically increases security.
Enable Two-Factor Authentication
Add an extra security layer beyond your password. Even if your password is stolen, 2FA protects your account.
Use a Password Manager
Password managers securely store and generate strong passwords, so you don't have to remember them all.
Never Share Passwords
Don't share passwords via email, SMS, or messaging apps. These channels are insecure and can be intercepted.
Avoid Personal Information
Don't use birthdays, names, addresses, or other information that can be easily found or guessed by attackers.
Change After Breaches
If a service you use is breached, change your password immediately. Check if the password was used elsewhere.
Store Securely
Never store passwords in plain text files, spreadsheets, or sticky notes. Use encrypted password managers.
Password Dos and Don'ts
DO
Use a password manager
Let software handle the complexity of strong, unique passwords
Create long passwords (16+ chars)
Length is more important than complexity
Enable 2FA everywhere
Use authenticator apps (not SMS when possible)
Use passphrases for memorability
Random words are easier to remember than random characters
Check for data breaches
Use services like Have I Been Pwned to monitor your emails
Update passwords after breaches
Change immediately when notified of a security incident
DON'T
Reuse passwords across sites
One breach can compromise all your accounts
Use dictionary words
Simple words are vulnerable to dictionary attacks
Store in plain text files
Never save passwords in documents, notes, or spreadsheets
Use personal information
Birthdays, names, and addresses are easily guessed
Share via email or SMS
These channels are insecure and can be intercepted
Change passwords periodically "just because"
NIST recommends only changing when compromised
Password Rotation Policy
NIST Guidance on Password Changes
According to NIST (National Institute of Standards and Technology), passwords should NOT be changed periodically without reason. Forced periodic changes often lead to weaker passwords and user fatigue.
Instead, change passwords only when there's evidence of compromise or security concern.
✓When TO Change Passwords
- →After a data breach or security incident
- →If you suspect your password was compromised
- →After sharing a password (even temporarily)
- →When removing team member access
- →After using a public or unsecured computer
✗When NOT to Change Passwords
- →On a fixed schedule (e.g., every 90 days)
- →"Just because" without a specific reason
- →When the password is strong and unique
- →If it encourages weaker password patterns
- →When using 2FA and password manager
Two-Factor Authentication (2FA) Setup Guide
Two-factor authentication adds an extra security layer beyond your password. Even if your password is stolen, attackers can't access your account without the second factor.
SMS-Based
Receive codes via text message
Authenticator Apps
Time-based codes (Google Authenticator, Authy)
Hardware Keys
Physical security keys (YubiKey, Titan)
How to Enable 2FA on Popular Services
Usually found in Account → Security
Look for "2FA", "Two-Step", or "MFA"
Scan QR code with your app
Store securely in case you lose access
Put These Practices Into Action
Start securing your accounts today with strong, unique passwords generated by our free tool.