The Only Password Security Guide You Need Follow

Passwords aren't going anywhere just yet. Here's how to ramp up your company's password hygiene while they're still around.

While tech-savvy solutions like passkeys and two-factor authentication (2FA) continue to be favored by companies like Google, Apple, and Microsoft, the humble password isn’t dead yet.

Until they’re phased out completely, maintaining good password hygiene is the only way your company can stay safe from rapidly evolving threats like keylogger programs and AI password crackers.

Creating a strong password isn’t rocket science — but conflicting regulations have created a cloud of confusion around the topic making it hard for businesses to know which requirements to use across their systems.

So, we’ve brushed up on the latest National Institute of Standards and Technology (NIST) guidelines and created a list of password tips for companies and workers to follow. You can thank us later.

Simple Password Tips for Companies

If you’re responsible for setting password policies for your organization, read on for six practices to bear in mind.

1. Set a password minimum of eight characters

According to NIST, creating a longer password is more important than creating a complex one. This is clear from Hive Systems research, that found that passwords eight characters long are able to be hacked within eight hours by the average hacker, while shorter codes can be compromised within a few minutes.

Therefore, to it harder for cybercriminals to crack your password, and easier for you and your business, we recommend setting a character limit that ranges from 8-64.

2. Allow the ‘Show Password’ option

When employees type in long and complex passwords blindly, it makes typos and errors extremely common. Not only does this make users more prone to being blocked out of their accounts, it also makes them less likely to create complex codes in the future.

To avoid this issue, NIST tells businesses to let workers see what passwords they’re typing. This way, guesswork can be eliminated, stress can be avoided, and your workforce will be more likely to use effective codes to safeguard their accounts.

3. Lower the limit of “Failed Password” attempts

NIST also recommends temporarily baring access to accounts for a certain period of time when users enter incorrect details — and locking them out altogether after 100 attempts. They suggest that companies should make workers complete a CAPTCHA before re-attempting, to ensure that computers aren’t trying to enter the account.

4. Use passwords alongside two-factor authentication

While this is less of a password tip, the government agency advises businesses to use two-factor authentication alongside traditional codes. This provides companies with an important extra layer of defense and makes it even harder for hackers to enter your system.

There are a number of different 2FA options to choose from, but using a separate authenticator device or U2F security key is by far the best way to keep accounts safe.

5. Don’t reset passwords too frequently

No worker enjoys regularly updating their password. What’s more, requiring them to do so frequently results in the creation of unimaginative, hackable passwords.

Because of this, NIST warns businesses against making users reset passwords too frequently. This may sound counterintuitive, but according to the agency, it’s the best way to combat password fatigue by keeping the quality of codes strong throughout your organization.

6. Let users copy and paste passcodes

Password pasting has a bad rep. It’s commonly understood to be antithetical to password security. But as the UK’s National Cyber Security Center found, it rarely poses a direct threat to companies.

In fact, letting users paste codes across platforms has actually been shown to improve security by reducing errors and making it easier for users to follow correct password hygiene. This is consistent with NIST’s latest guidelines, which tell companies that users should be able “to use ‘paste’ functionality when entering a [password].”

Simple Password Tips for Workers

Unsure about what constitutes a strong password? Read on for some simple, fuss-free tips.

1. Consider using a passphrase

Generally speaking, the longer the password, the more secure. So, while NIST advises businesses to institute eight-character minimums, using passphrases, which range from eight to 16 characters, is a much more effective way to keep your account safe. What’s more, since passphrases break up characters with a spacebar, they’re generally easier to remember too, so it’s a win-win!

2. Avoid dictionary words

Simple words are easier to crack. Because of this, NIST warns users against using codes that contain dictionary words, or simple number sequences like 123456 or 111111.

As a general rule, it’s good to get creative. While users should stay clear of simple words like “password,” “monkey,” or “apple,” they’re welcome to use variants of the words like “P@s5worD,” “M0nK3Y,” or “@Ppl3,” as long as they’re still long enough to meet your character minimum.

3. Avoid names

While it might be tempting to create passwords modeled off the names of loved ones, pets, or celebrity figures, passwords including names are considerably easier to hack. In fact, research from Cybernews revealed that the names Eva, Alex, and Anna consistently rank as some of the most commonly hacked codes.

To make your password less prone to attack, we advise avoiding the names with special characters and numbers as we outlined in the step above.

4. Don’t reuse passwords

Even though most of us are doing it, reusing the same password across multiple accounts makes you a great target for lurking threats. This is because once a hacker cracks one of your passwords, they are then able to gain access to a variety of your online accounts.

Coming up with a distinct password that adheres to password requirements for each platform you use is no easy feat. But fortunately, you don’t have to store them and remember them yourself.

5. Use a password manager

Using a reliable password manager is by far the easiest way to look after your password and data hygiene.

Instead of keeping mental or physical tabs on all your codes, this solution stores all your passwords for you, making it easier for users to deploy long and complex codes that stand the best chance of protecting your accounts.

Password managers can be tasked with generating strong, impenetrable codes too, helping to significantly ease cases of password fatigue.

But with so many options to choose from, you want to make sure you move forwards with the right tool. NordPass is our favorite password manager, because of its user-friendly design and handy features, but we present some other great alternatives in our table below:

0 out of 0
Local Storage Option
Two-Factor Authentication
Failsafe Function
Password Generator Function
A password manager can create secure, complex passwords for you. You won't need to remember them yourself.
Help Instructions
Email Support
Live Chat Support
Phone Support
Business Plan?
Business Price
Cheapest available business plan
Click to Try




Sticky Password





$19.95/10 users




Try 1Password Try NordPass Try LastPass Try Dashlane Sticky Password
Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Isobel O'Sullivan (BSc) is a senior writer at with over four years of experience covering business and technology news. Since studying Digital Anthropology at University College London (UCL), she’s been a regular contributor to Market Finance’s blog and has also worked as a freelance tech researcher. Isobel’s always up to date with the topics in employment and data security and has a specialist focus on POS and VoIP systems.
Explore More See all news
Back to top
close Thinking about your online privacy? NordVPN is's top-rated VPN service See Deals