IT KORR Knowledge Center
Password Best Practices Guide
A consolidated reference covering the full set of current password best practices in one document.
Construction
- Prioritize length over complexity — 12+ characters, longer for privileged accounts.
- Passphrases (multiple random words) are an accepted, often easier-to-remember alternative.
- Avoid predictable substitution patterns — they do not meaningfully increase real strength.
Management
- Use a company-provisioned password manager for every credential.
- Never reuse a password across accounts.
- Do not require calendar-based rotation absent a specific compliance requirement — change immediately on suspected compromise instead.
Authentication
- Enable multi-factor authentication on every account that supports it.
- Prefer hardware-backed or app-based MFA over SMS where available.
- Disable legacy authentication protocols that bypass MFA.
Organizational Controls
- Maintain a written, reviewed password policy.
- Screen new passwords against known-breached and common-password lists.
- Apply stricter requirements to privileged and service accounts.
Related Resources
- NIST Password Guidelines — /knowledge-center/cybersecurity/password-security/nist-password-guidelines
- Password Policy Generator — /tools/password-policy-generator