Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns. [Capital letter]basic word(number){special character}
Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.
A non expiring, long, easily remembered passphase like forgetting-spaghetti-toad-box
Is much more secure than a short password with enforced complexity requirements.
Drop “memorable”. 99.9% of your passwords should be managed by your password manager and don’t need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.
99.9% of your passwords should be managed by your password manager
this looks like a sensible approach until you remember password managers can be cracked, too. I’m with GP on this, a passphrase is easier to remember and is good enough for most use cases, if you need more security you should be using some form or another of 2FA anyway
I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don’t like that idea. I can exercise my brain.
Best practice in 2023 is a simple, sufficiently long but memorable passphrase. Excessive requirements mean users just create weak passwords with patterns.
[Capital letter]basic word(number){special character}
Enforcing password changes doesnt help either. It just creates further patterns. The vast majority of compromised credentials are used immediately or within a short time frame anyway. Changing the password 2 months later isnt going to help and passwords like July2023!, which are common, are weak to begin with.
A non expiring, long, easily remembered passphase like
forgetting-spaghetti-toad-box
Is much more secure than a short password with enforced complexity requirements.
Drop “memorable”. 99.9% of your passwords should be managed by your password manager and don’t need to be memorized. On one or two passwords that you actually need to type (like your computer login) need to be memorable.
this looks like a sensible approach until you remember password managers can be cracked, too. I’m with GP on this, a passphrase is easier to remember and is good enough for most use cases, if you need more security you should be using some form or another of 2FA anyway
I am kinda paranoid about password managers. My passwords are stored somewhere on the computer, all of them, and I don’t like that idea. I can exercise my brain.
I’ve got 1601 logins and 86 secure notes in my Bitwarden vault… no way I’m memorizing all of that lol
I have 350 items in my BW vault. I am not memorizing that many passwords, I’d rather use my brain for something else.