Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Password Security · Download

Password Best Practices Guide

A consolidated reference covering the full set of current password best practices in one document.

IT KORR Knowledge Center

Password Best Practices Guide

A consolidated reference covering the full set of current password best practices in one document.

Construction

  • Prioritize length over complexity — 12+ characters, longer for privileged accounts.
  • Passphrases (multiple random words) are an accepted, often easier-to-remember alternative.
  • Avoid predictable substitution patterns — they do not meaningfully increase real strength.

Management

  • Use a company-provisioned password manager for every credential.
  • Never reuse a password across accounts.
  • Do not require calendar-based rotation absent a specific compliance requirement — change immediately on suspected compromise instead.

Authentication

  • Enable multi-factor authentication on every account that supports it.
  • Prefer hardware-backed or app-based MFA over SMS where available.
  • Disable legacy authentication protocols that bypass MFA.

Organizational Controls

  • Maintain a written, reviewed password policy.
  • Screen new passwords against known-breached and common-password lists.
  • Apply stricter requirements to privileged and service accounts.

Related Resources

  • NIST Password Guidelines — /knowledge-center/cybersecurity/password-security/nist-password-guidelines
  • Password Policy Generator — /tools/password-policy-generator

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full Password Security Hub for the reasoning behind each recommendation, or use the Password Policy Generator for a fully configurable policy document.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT