As of 2023, the concept of best practices for user passwords is getting tricky. Let's assemble some knowledge, experience, and hopefully some order. Premises: 1) There are fundamentally only two types of passwords, a) long complex and UN-REMEMBER-ABLE, which require a password manager, and b) REMEMBER-ABLE, and additionally, based on some pattern that allows, with common use, the derivation of different passwords. These may be long, short, complex, simple, it all depends on the rules and patterns 2) In the end, the goal is to LENGTHEN the amount of time it takes a computer to brute-force match your password. We can never guarantee we can prevent an eventual successful guess! Thus LONG is the primary security characteristic. 3) In the end, a character is a character to a computer a) Thus, with respect to lengthening the potential time to guess/crack a password based on CHARACTERS, M is preferred over Z or A (as the alphabet might be flipped but usually is not randomized) b) 9 is preferred over 0 or 1 c) symbols are preferred over both (brute-force searches usually don't start with symbols) d) complexity is desired but length is preferred over complexity. 4) While there is no way to avoid the picking of individual characters, as these are the lowest, atomic entities that are assembled to create any password, COMMON WORDS, or WORDS themselves should be avoided or used very sparingly. Dictionary attacks substitute entire words in place, parallel to character placement. Which negates the benefit of LENGTH. for example: 9M# might be found using a brute-force method by trying all characters until the 9, then trying all characters until the M, then trying all characters until the # You can see that this will take a finite amount of time given a particular set of characters, say abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*() but notice that, 9Management#, while much longer, MIGHT be brute-force found in the same amount of time as Management would be selected as an entire word, similarly to any given character. HOWEVER, This is NOT so say that WORDS should be completely avoided or that WORDS are intrinsically weak. The KEY with using WORDS is to keep them OFF easy to distinguish WORD BOUNDARIES. If you were selectively trying to brute-force this password and you wanted your dictionary attack to be effective, YOU WOULD HAVE to know that the word STARTED at the second position in the password string, elsewise, you're word choices would NEVER match up. THUS, a) Never start a password with a WORD b) Never follow a WORD with a WORD Additionally, the use of a random, Static Prefix, and Random, Static OR Patterned Numbers can strengthen a password by huge margins by interjecting unknowns between these boundaries that cannot easily be factored into a brute-force match attack. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Pre 2017 Rules Static Prefix + Static Number + Static Symbol + Remember-able Location ID, Capitalized ex: dduck2&Microsoft dduck2&Google dduck2&Steam This method leads to passwords that would take merely MONTHS to brute-force crack given today's computer technology. This simple method is deprecated as currently unsound. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2019 Rules Best Practice became picking two or three words at random, but that might obliquely relate to the location ID, and for added security, add a static prefix, and/or a rule for placement of one or two numbers, and optionally, a rule for capitalization ex: dduck#Redmond2xBox4msDos --> Rule: Static Prefix, Static Symbol, 1st location ID word - 1st letter capitalized, Static Number, 2nd location ID word - 2nd letter capitalized, Number + Number, 3rd location ID word - 3rd letter capitalized dduck#Games2vAlve4suCksass dduck#Shop2sAve4waLmart This method leads to passwords that would take CENTURIES to brute-force crack given today's computer technology. However, in practice, while each single password appears simple and retrievable, this method proves very difficult, even with the location ID word association, to remember the three specific words once a large number of distinct passwords are necessitated. This method does however really begin to allow for long, at least longer then average, passwords of increasing complexity, so it does hit our primary requirements. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2023 Rules With Length being the primary characteristic, Examples: [ Estimated Time to Crack by Bitwarden: https://bitwarden.com/password-strength/ ] Est. Time Entropy* [ Password Entropy Calculator: https://alecmccutcheon.github.io/Password-Entropy-Calculator/ ] 1) Static Prefix, remember-able, short but as complex as possible: 5pin69! 2) 1 Symbol, duplicated a random number of times (11): $$$$$$$$$$$ 3) Location ID (word, capitalized): Microsoft 3) ALT Location ID, obfuscated pattern (capitalized, vowel substitution): M1cr0s0ft Becomes 5pin69!$$$$$$$$$$$Microsoft 41 Years 175 ALT Becomes 5pin69!$$$$$$$$$$$M1cr0s0ft Centuries 176 ------------------------------------------------------------------------------------------------------------------------------------------- 1) Static Prefix, remember-able, short but as complex as possible: 5pin69! 2) 2 Symbols, pattern duplicated a random number of times (7): *)*)*)*)*)*)*) 3) Location ID (word, capitalized): Microsoft 3) ALT Location ID, obfuscated pattern (capitalized, vowel substitution): M1cr0s0ft Becomes 5pin69!*)*)*)*)*)*)*)Microsoft Centuries 195 ALT Becomes 5pin69!*)*)*)*)*)*)*)M1cr0s0ft Centuries 195 ------------------------------------------------------------------------------------------------------------------------------------------- 1) Static Prefix, remember-able, short but as complex as possible: 5pin69! 2) 2 Symbols, pattern duplicated a random number of times (2): .#.# 3) Location ID (word, capitalized): Microsoft 3) ALT Location ID, obfuscated pattern (capitalized, vowel substitution): M1cr0s0ft 4) Static Suffix, remember-able, short: 120604 1-3 Becomes 5pin69!.#.#Microsoft 63 Years 129 1-3 ALT Becomes 5pin69!.#.#M1cr0s0ft Centuries 130 1-4 Becomes 5pin69!.#.#Microsoft120604 Centuries 166 RECOMMENDATION: 1) Short, but Remember-able, Meaningful, Cryptic Prefix with Symbol 2) 2 Symbols, Pattern Repeated 2-4 times 3) Single Word, representing Location ID, Capitalized 4) Short, remember-able, Meaningful, Cryptic Suffix (as desired.) 5) Single Character (vicinity M, or vicinity 9, or UNCOMMON Symbol) padded to desired length (36 chars recommended, or system max) Examples: Amex: 5pin69!.#.#Amexusausa,,,,,,,,,,,,,,, 36 chars Centuries 136 JcPenny: spin69@%&%&Jcpennyusarmy,,,,,,,, 32 chars Centuries 153 Gmail: 5pin69!*)*)Gmailpatriot,, 25 chars Centuries 148 Amazon: tejas1#!.!.Amazon1star 22 chars Centuries 139 Wells Fargo: mvp3$!,!,Wells1776>>>>>>>>>>>>>>>>>> 36 chars Centuries 115 For UN-REMEMBER-ABLE Passwords, use The Genlet, the Password RE-Generating, Wallet! * Entropy: Higher is better, 62 considered the minimum for financial records as of 2019