Password Best Practices Checklist for 2025
Let’s think about your keys for a second. Your house key doesn’t work for any other door. It’s cut with complex ridges to make it more secure. And you certainly don’t leave it in the lock when you aren’t using it.
Can you say the same about your password?
Poor password hygiene is a bad habit for millions of people, and this lax approach to password security has real-world consequences. In a Talker Research study commissioned by Forbes Advisor, nearly half of the surveyed Americans admitted to having a password stolen in the past year.
At Aspire, we take cybersecurity seriously. We don’t want you to join the statistics, so we’ve put together a password best practices checklist to help you clean up your credentials.
The Password Best Practices Checklist
✅ Use a Strong Password
At first glance, a password like dictionary123! might seem strong. It might even meet your organization’s password requirements. But it isn’t as secure as you might think. It uses common words and predictable patterns, making it vulnerable to brute-force attacks.
You can create a strong password by giving it the following qualities:
| Let’s apply each quality and create a stronger, more secure password. Original password: dictionary123! |
1) Length
Although there is no standardized character limit for a strong password, many organizations will enforce a minimum of somewhere between 8 and 12 characters. For optimum security, the National Institute of Standards and Technology recommends using at least 16 characters, saying that even longer is better.
As a password best practice, you should use a passphrase, which can be a saying, a quote, a random combination of words—anything—as long as it’s memorable. If spaces are prohibited, try omitting them or replacing them with special characters.
| We can add length to our password by making it a sentence-like passphrase. Longer password: i read the dictionary123! |
2) Diversity
A diverse password contains a combination of uppercase letters, lowercase letters, numbers, and special characters. Increasing your password’s character set makes the number of possible combinations grow exponentially. With more combinations come more possibilities, making brute force attacks more time-consuming.
| Our password already has high diversity, but we can increase it by adding a capital letter. More diverse password: I read the dictionary123! |
3) Complexity
Complexity is the combination of length and diversity, and it is characterized by unpredictability and randomness. You can add complexity to a password by replacing letters with similar-looking characters, avoiding common patterns, and increasing length.
| We can add complexity by incorporating more character diversity and removing patterns. More complex password: ! |234d 7he d!<ti0n4R`/132! |
4) Memorability
Passwords face the Goldilocks dilemma: They can’t be too simple, but they can’t be too complex, either. Making your password memorable is an essential component of a strong password. If your password is too complex, you may be tempted to write it down somewhere, which introduces a security risk. Finding the right balance is the key to making a strong password.
| Limiting our complexity gives us a more memorable password. Memorable password: I read the di<ti0n4ry132! |
✅ Change Your Password Often
Using the same password for years on end might seem like an easy way to remember your credentials, but it gives cybercriminals an easy target. Regularly updating your password will reset any hacker’s progress and reduce the probability of a breach. If you are using Multifactor Authentication (MFA), we recommend changing your password every 90-180 days.
For extra security, or if you do not have MFA safeguards in place, the Cybersecurity & Infrastructure Security Agency recommends changing your password every 45-90 days. Frequent password changes may tempt you to use shortcuts to remember your passwords, but be careful not to revert to poor practices.
Administrators in a Windows environment can issue restrictions using group policy that require all uses to reset their local area network passwords at regular intervals.
✅ Update Default Passwords
There are more passwords in your workplace than you might realize. Your network printer has a password. Your modem has a password. Your routers have passwords. These are the most dangerous devices to ignore when it comes to password protection because they all offer direct access to your network. To make matters worse, many people use these devices without updating the default password.
Consider the multifunction printer (MFP) that everyone in your office prints to. It has a web interface that anybody can access. All they need is the device’s IP address, a username, and a password. If you didn’t update the MFP’s password, all someone needs to do is visit the web interface, type “admin” as their credentials, and voila. Your network is compromised.
To avoid falling victim to would-be hackers trying to backdoor into your network, be sure to update default passwords for every device that connects to your network. Devices to check include:
- Networking Equipment (Routers, Modems, Switches)
- Printers
- Smart Devices
- Security Cameras
- Local Admin Accounts
✅ Make Passwords Easy with Password Management
If you only had one password, following the best practices wouldn’t be too much of a hassle. The only problem is that nobody has just one password. According to a recent survey conducted by NordPass, the average professional uses about 87 different passwords in the workplace. When personal passwords are included, the total number soars above 200.
Creating, updating, and remembering strong passwords for this many accounts becomes frustrating, especially when you prioritize cybersecurity. The good news is that password management software, such as LastPass and 1Password, offers an effective way to generate and store highly-complex and secure passwords.
By taking advantage of password management software, you will only have to think about one password: The one into your password vault.
Password Best Practices: Do’s and Don’ts
We’ve covered the building blocks of strong password best practices: length, diversity, complexity, and memorability. But putting those principles into practice requires understanding what to aim for—and what to avoid. Use this quick guide to refine your approach and stay ahead of potential threats.
The Password Do’s
🟩 Regularly update your password – Updating your password every 3-6 months limits the likelihood of an attack. Regular updates will remove unauthorized access if your password is stolen without your knowledge.
🟩 Make it complex, yet memorable – Your password should contain a mix of uppercase letters, lowercase letters, numbers, and special characters. Make a memorable passphrase for length and complexity without sacrificing security.
🟩 Include uncommon words or phrases – Avoid common dictionary words or predictable combinations. Incorporating uncommon or unrelated words makes your password significantly harder to crack. Think of unique but memorable terms that wouldn’t be easily guessed.
🟩 Start fresh with every password – Reusing parts of old passwords, even if modified, makes it easier for hackers to guess your credentials. Treat every new password as a clean slate.
The Password Dont’s
🟥 Share your password – Your password is yours, and yours alone. IT and other support staff members will never ask for your password. Sharing it increases the chances of it being misused.
🟥 Write your password down for any reason – This includes sending your passwords over email or storing them in a spreadsheet. Your memory is the most secure place to store your password.
🟥 Use the same password for more than one account – Using the same password across multiple accounts puts all of them at risk if even one gets compromised. Always use unique passwords for every account to limit potential damage.
🟥 Use easy-to-guess information or predictable patterns – Hackers know to look for common details like names, birthdays, or keyboard patterns like “asdfjkl;” or “123456.” Avoid using these entirely to make your password stronger.
Download Aspire’s Password Best Practices Checklist
Strong passwords are essential, but they’re just one piece of a comprehensive cybersecurity strategy. To protect your organization, focus on layering your defenses. Enable multi-factor authentication, ensure regular software updates, and implement network monitoring to detect threats before they become breaches.
Remember, your people are your first line of defense. Equip your team with the knowledge to recognize phishing scams, use secure practices, and stay vigilant against cyber threats.
Aspire is here to help your organization navigate the evolving landscape of cybersecurity.
Download the Password Best Practices Checklist and take the first step toward strengthening your defenses in 2025 and beyond.
Glossary
Brute-force attack: A type of cyberattack that tries to guess a password by systematically trying every possible combination of characters.
Passphrase: A type of password that is made up of a string of words, rather than just letters and numbers. Passphrases are often easier to remember than traditional passwords.
Password hygiene: The practice of creating and using strong, unique passwords.
Complexity: In password security, complexity refers to a password’s unpredictability and randomness. A complex password uses a mix of different character types (uppercase, lowercase, numbers, symbols) in an unpredictable order, making it difficult to guess or crack.
Diversity: Password diversity refers to the variety of characters used in a password. A diverse password includes a mix of uppercase letters, lowercase letters, numbers, and symbols. This increases the number of possible combinations, making it harder for attackers to guess.
