Strong password standards in 2024: Changes and best practices

Did you know that your formerly strong password may no longer be secure? Sad, but true – because cybercriminals are able to break previously hard-to-crack passwords with the help of artificial intelligence (AI) as well as hacking systems and programs that are growing ever more effective and efficient.
And as the threat levels increase, so do the requirements for a secure password.
 
Open laptop with padlock on keyboard
Lock cybercriminals out of your accounts with a password that meets the latest guidelines

The evolution of password standards

Due to the rise in cybercrime, the security requirements of companies and government agencies are becoming stricter.  With good reason: given all the sensitive customer information handled by email services, online stores, healthcare providers, educational institutions, etc., it is essential that they guard against unauthorized access and data theft.

With this in mind, institutions and businesses take the security of access data very seriously, and part of this is a strong password policy. Since the passwords and PINs of their employees and customers are potential targets for hackers, they must meet increasingly strict minimum password requirements.  A password like “Mom2010” no longer makes the grade. When users create a new password, it must meet the service’s password rules or else it will not be accepted by the system. 
 
Bonus explainer: If you would like to learn more about how cybercriminals crack passwords and how you can boost your own password security, check out our deep dive: How hackers steal passwords - and ways you can protect yours

What is a password policy?

A password policy is the set of requirements for the passwords used by the customers and/or employees of a company, a government agency, etc. For example, a password policy might include:
  • Minimum standards for password length
  • Password complexity requirements
  • Rules against reusing passwords or using ones that have appeared in a data leak
  • Expiration dates for passwords
  • Limits on the number of incorrect password entries

Good to know: Companies and government agencies tighten their password guidelines from time to time in response to changing cyber threats. Many companies in the United States base their password policies on the National Institute of Standards and Technology (NIST) Digital Identity Guidelines, often referred to as the NIST password standards.

How do you know if your password complies with a company’s password policy?

When you register a new username and password, they are usually checked automatically before the system will accept them. With most services, a message appears informing you if the password you want to create does not comply with the current password policy, and what you can do to make it stronger.

How do I know if an old password is too weak?

If you save your passwords in a password manager – whether with a third-party tool, iCloud Keychain on your Apple device, Google Password Manager in your Google account, etc. – any weak, compromised, or recycled passwords will usually be flagged. For example, if you open the password manager on your iPhone you may see Security Recommendations at the top, and by tapping you see a list of which of your passwords should be updated in keeping with current password recommendations.

If your old password no longer meets the strong password policy standards of a service such as your online bank, sometimes that service will notify you with a pop-up or a message AFTER you have logged in. However, if you receive an email telling you to click a link to “update your password” you should NEVER do it – this is a common phishing scam and will most likely result in your password data being stolen.

What are strong password requirements in 2024?

Nowadays, most online services will require your password to be at least 8 characters long – but recommend a minimum of 12 characters. They will also require a certain level of password complexity; usually, this means that your password will need to contain upper- and lowercase letters, numbers, and special characters. Passwords should never be used for more than one service. Check out the list below for more details!
 

Does your password comply with the current guidelines?


Several of the NIST guidelines for passwords are more useful for IT security professionals, e.g., recommendations for how a company should store user passwords securely. However, here are nine helpful takeaways for users from the NIST recommendations for passwords:
  1. Your password should be long. Although you can sometimes still get away with creating a password of 8 characters minimum, a password of 16 characters or more is significantly more secure.
  2. Your password should be unique. Never use the same password for more than one account.
  3. Your password should not contain sequential characters. This means no “12345”, “abcde” or “QWERTY”, for example.
  4. Your password should be random. The most secure passwords are a string of mixed letters, numbers, and special characters. However, a password is only secure if you can remember it. So, a passphrase consisting of at least four random words that you can actually memorize is a very secure option – e.g., “Book-curtain-pinecone-basket”.
  5. Your password should not contain your name. Also not acceptable: passwords that contain your username or the name of the service (e.g., your Amazon password should not contain the word “amazon”).
  6. Do not use passwords that have been part of data breaches. This applies especially to commonly used passwords like “Password1234”. If any of your passwords have been leaked, it is important to change them or any similar passwords immediately. You can use the Have I Been Pwned site to check if an email address (and its password) has been compromised in a breach.
  7. Only change your strong, unique passwords when necessary. Although the recommendation used to be for regular password changes (every 3 to 6 months), if you have one that meets all of the strong password criteria and you have it memorized, it is better to stick with it than to risk creating a new password that you might forget. Obviously, this does not apply if you think your password has been compromised.
  8. If you have a choice, don’t use a security question for authentication. Read more in our deep dive: Are security questions secure? Not really – here’s why
  9. If you purchase new hardware, like a Wi-Fi router, it may come with a default username and password for you to use during initial setup. Even if the device does not require you to do so, you should immediately update its password to a unique, strong password you choose yourself. Default passwords are a security risk because they are often readily available on the internet.

We hope this article helps you keep up with password standards and best practices. Before you go update that old Netflix password, please leave us some feedback below!

And if you don’t have one yet, why not create an email account with mail.com today?

Images: 1&1/GettyImages
 

53 people found this article helpful.

Related articles

What is a brute force attack? Meaning, protection & prevention

I know where you live: Creepy scam emails with personal details

History of passwords: Where does the password come from?