A Word About Passwords

Password Security Standards

Passwords remain a primary form of authentication to a system. The NIST Digital Identity Guidelines include requirements for password length and complexity.

Practical Implementation

Different stakeholder groups each play a unique role in successfully enforcing password security requirements for an information system. Roles and responsibilities may include the following:

Users’ Responsibilities include:

Rather than creating shorter passwords, which are easier to remember but less secure, use randomly generated passwords using a password manager, such as 1Password.

1Password will also warn you if any of your passwords have been exposed in known breaches, by marching the credentials you supply against the haveibeenpwned database of breached passwords.

Developers’ Responsibilities include:

It’s recommended that web applications should be designed to do the following, in order to secure users’ login credentials:

Only allow users to create passwords that are a minimum of 8 characters in length. Disallow users from creating passwords that have been included in known breaches. One way they can do this is by using the haveibeenpwned API.

Penetration Testers’ Responsibilities include:

Use fuzzing techniques, injecting common or breached passwords, such as those from SecLists, into a web application penetration tool, such as or Burp Suite or OWASP ZAP