Passwords - Jordan Security Group | Cybersecurity Consulting

Best Practices for Creating and Managing Secure Passwords

Passwords remain the most common authentication factor and the most commonly abused. Attackers automate brute force, credential stuffing (using leaked password dumps), and phishing at scale. A modern password program focuses on length, uniqueness, storage, screening against breaches, and user experience with MFA and password managers to reduce friction without reducing security.

Threats Passwords Must Withstand

Credential stuffing: Reusing one password lets a single breach unlock multiple accounts.
Brute force & dictionary attacks: Short or common passwords fall quickly to automated guessing.
Phishing: Even “strong” passwords can be tricked out of users on fake pages.
Shoulder surfing & keylogging: Public logins and compromised endpoints capture keystrokes.
Weak recovery flows: Insecure “Forgot Password?” processes can bypass strong logins entirely.

Core Best Practices

Prefer long passphrases (14–20+ chars) over short complexity: Four to six random words with separators are stronger and more memorable than “P@ssw0rd!.”
Never reuse passwords: Every account gets a unique secret; reuse enables credential stuffing.
Use a password manager: Bitwarden, 1Password, or KeePassXC generate/store high-entropy passwords and prevent reuse.
Pair with MFA: Add phishing-resistant MFA (FIDO2/WebAuthn hardware keys when possible) to blunt password theft.
Screen against known breaches: Block passwords found in public dumps (e.g., “Have I Been Pwned?” corp feeds or built-in directory password filters).
Don’t force frequent, arbitrary rotation: Change on suspicion/confirmation of compromise or when high-risk; otherwise favor long, unique secrets.
Ban common patterns: No personal info, seasons+year (“Summer2025!”), keyboard walks (“qwertyui”).
Harden account recovery: Verify identity robustly, log recovery events, and require MFA to reset factors where possible.

Framework Alignment

NIST SP 800-63B: Emphasizes length, breach screening, and usability over arbitrary character rules.
CIS Controls v8 (Control 5): Unique credentials, MFA, and secure management processes.
ISO/IEC 27002 (9.4.3): Strong authentication and secure credential lifecycle management.

Implementation Recommendations

Policy: Set length ≥14, no reuse, breach-screening, and manager usage; discourage periodic forced resets without cause.
Technology: Enable password filters (on-prem AD / Entra), deploy an enterprise password manager, and enforce MFA.
Training: Teach passphrase creation, manager basics, phishing awareness, and how to spot MFA fatigue prompts.
Monitoring: Alert on anomalous sign-ins, repeated lockouts, and unusual password reset activity.
Recovery: Require MFA for resets, audit all changes, and avoid easily guessable challenge questions.

For admins: protect privileged accounts with hardware tokens, just-in-time access, and separate admin workstations.

Password Manager Tips

Master passphrase: Use a unique, long passphrase you can remember; never reuse it anywhere else.
MFA on the vault: Protect the manager itself with FIDO2 or TOTP MFA.
Org rollouts: Provide shared vaults for team secrets and enforce policies (minimum length, no reuse).
Device hygiene: Keep endpoints patched; a compromised device can capture keystrokes/screens.

Reusable Strong Password Template (Edit Per Site)

The safest approach is to let a manager generate fully random secrets. When you must craft something memorable (e.g., for a master passphrase), use a site-specific, high-entropy pattern that avoids personal data and obvious transformations.

Template Structure

RandomPassphrase + SiteTag + Separator + SecretNumberCue

Component Guidance

RandomPassphrase: 2–5 unrelated words with separators.
Example: Velvet-Marmot
SiteTag: 2–3 letters derived from the service (avoid exact names if possible).
Example: GH (GitHub), LN (LinkedIn), USA (USAJOBS)
Separator: Choose a symbol you consistently use (or two).
Example: @! or _?
SecretNumberCue: Non-obvious numbers (not birthdays/addresses). Consider a rule only you know (e.g., last two digits of an internal sequence you rotate yearly).

Worked Examples

GitHub:

Velvet-MarmotGH@!47

LinkedIn:

Velvet-MarmotLN@!47

USAJOBS:

Velvet-MarmotUSA@!47

Strength Notes

Length and randomness of the passphrase drive security; SiteTag ensures uniqueness.
Rotate the SecretNumberCue (e.g., yearly) to refresh entropy without breaking memorability.
If any one of these is leaked, change that account immediately and consider altering your scheme components.

Master Passphrase (for your manager)

Use a different structure with more words and no site tag (since it’s not per-site):

Marmot-Skyline-Velvet-Quartz-Radio?942

Pair with a hardware security key for the vault.

Important: Never write down your exact “formula;” if you must keep hints, store them like private memory cues only you’ll understand. You may also consider adding additional salt to your formula as to stay more secure.

Common Mistakes to Avoid

Using personal info (names, dates) or predictable patterns (Season+Year!).
Reusing one “great” password across many sites.
Saving passwords in browsers without MFA or syncing them to unmanaged devices.
Ignoring breach notifications and failing to rotate compromised credentials.
Weak recovery questions that attackers can answer from social media.

Expected Outcomes

Risk Reduction: Unique, long passwords with MFA dramatically reduce credential-based compromise.
Operational Consistency: Managers standardize creation, storage, and sharing of secrets.
Compliance: Aligns with NIST/CIS/ISO requirements for credential strength and handling.

Quick Checklist

Set minimum length ≥14 and block breached/common passwords.
Deploy an approved password manager and require MFA for the vault.
Enforce uniqueness per site; audit for reuse.
Harden recovery and log all resets/changes.
Train users quarterly; test phishing resilience.

References & Further Reading

Back To Processes