Password resources
A practical reference for building strong, memorable password habits — grounded in guidance from NIST, OWASP, PCI DSS, ISO/IEC 27001/27002, CIS, NCSC, and the FIDO Alliance. Use the jump links below to navigate.
Last reviewed: January 2026.
1. What the experts actually say
NIST SP 800-63B Rev. 4 (finalized 2024, U.S. federal digital identity standard) made several substantive changes. When a password is the only authenticator, verifiers must enforce a minimum length of 15 characters — a notable increase from the previous 8-character floor (which now applies only when the password is one factor inside MFA). Verifiers SHOULD allow at least 64 characters to support passphrases, permit any printable characters including spaces, and no longer require composition rules (“must contain a symbol”) or periodic rotation in the absence of evidence of compromise. The right approach is to screen new passwords against known-breached lists and force a reset only when there's evidence of compromise.
OWASP (Authentication Cheat Sheet, ASVS, current) aligns with NIST: minimum length over forced complexity, support long passphrases, block common and breached passwords, and pair the password with phishing-resistant MFA wherever possible.
PCI DSS v4.0.1 (published June 2024) increased the minimum length for cardholder-data-environment passwords from 7 to 12 characters, requires letters and numbers, and allows organizations to replace fixed 90-day rotation with a continuous, dynamic analysis of account access posture.
ISO/IEC 27001:2022 (Annex A control 5.17, “Authentication information”), with implementation guidance in ISO/IEC 27002:2022 control 5.17, doesn't prescribe a specific length. It requires an organization-wide policy for selecting, distributing, and managing authentication secrets — which in practice tracks NIST/OWASP.
CIS (Center for Internet Security) publishes a Password Policy Guide (current edition) that consolidates these into actionable defaults by account type — see the policy table below for a distilled version.
NCSC (UK) recommends the three random words approach as a user-friendly way to reach passphrase-grade length. A personalized quotephrase is the same idea with a more memorable seed.
Passkeys and the direction of travel
The biggest shift in 2023–2025 is the move toward phishing-resistant, passwordless authentication — passkeys built on FIDO2 / WebAuthn, now mainstream across Apple, Google, and Microsoft. NIST SP 800-63B Rev. 4 explicitly places phishing-resistant authenticators above password-plus-MFA, treating passwords as a floor rather than a ceiling. The guidance below applies wherever passwords still exist — but where a passkey option is offered, prefer it.
A practical policy
Longer passwords + less rotation + MFA + breach screening > short, frequently rotated, complex passwords.
| Use case | Minimum length | Complexity | Rotation | MFA |
|---|---|---|---|---|
| Personal accounts (email, social, shopping) | 16+ characters (passphrase) | No forced complexity; block known-breached passwords | Only on suspicion of compromise | Required where available (passkey preferred) |
| Workforce / SSO accounts | 14+ characters | Screen against breach corpora; allow all printable characters incl. spaces | No periodic rotation; rotate on indicator of compromise | Phishing-resistant MFA (FIDO2 / passkeys) |
| Privileged / admin accounts | 20+ characters or hardware-bound key | High-entropy passphrase or generated random; vaulted | Rotate on personnel change, suspected compromise, or per CIS guidance | Hardware MFA required |
| Service / machine accounts | 32+ characters, generated random | Full character set; stored in secret manager | Automated rotation tied to lifecycle / leak detection | N/A — use scoped credentials and short-lived tokens |
| Cardholder data env. (PCI DSS v4.0.1) | 12+ characters (was 7 in v3.2.1) | Letters + numbers required; screen against weak lists | Every 90 days OR continuous dynamic analysis of account access posture | MFA required for all access into the CDE |
Why personal accounts get a longer minimum than workforce/SSO: personal accounts typically lack enterprise MFA, conditional access, monitoring, and rapid incident response. They lean on length to compensate. Workforce accounts can use slightly shorter passwords because phishing-resistant MFA, SSO logging, and admin controls carry more of the security load.
2. Length vs. crack time
Two things matter more than any single number:
- Each added character multiplies the attacker's work far more than adding a symbol to a short password does. Length beats complexity.
- What actually determines crack time is predictability, not length alone. Hive Systems notes that non-random passwords are much easier and faster to crack because humans are predictable — a password built from a known phrase, common words, or anything found in a past breach is tried first, long before brute force begins. A famous movie line used as-is does not get the protection its length suggests. This is the whole reason the personalization step on QuotePhrase exists.
Bottom line: a long passphrase beats a short, tortured “P@ssw0rd!” on both security and memorability — but only once it's no longer a verbatim, well-known quote. Length plus unpredictability is what wins. That's the whole point of QuotePhrase, and why QuotePhrase is designed for the one password you must memorize: your password-manager master password. Every other site should get a manager-generated random password.
Source: Hive Systems 2025 Password Table , modeled against bcrypt (not fast hashes like MD5). Real-world crack time depends on the hash algorithm, its work factor, salting, and hardware.
3. Why use a password manager
The single biggest password-related risk is reuse. When one site is breached — and eventually one will be — attackers replay the leaked email/password pair against every other service (“credential stuffing”). A password manager makes it practical to have a unique, long, random password for every site without having to remember any of them.
Where QuotePhrase fits: a quotephrase is for the one password you must memorize — your vault's master password. Everything else should be generated by the manager as random 20–32 character strings. You don't memorize them; you don't type them; you don't reuse them.
The pattern that works:
- Memorize one personalized passphrase (this is what QuotePhrase helps with) and use it as your master password.
- Add MFA to the vault itself — ideally a hardware key (YubiKey) or passkey.
- Let the manager generate a unique 20–32 character random password for every other account. You never type or memorize them.
- Use breach monitoring (most managers include it) so you're alerted to rotate specific credentials when a site is compromised.
The trade-off to understand: reputable password managers are zero-knowledge by design — the vendor cannot read your vault, and (intentionally) cannot recover it if you forget your master password. A forgotten master password usually means unrecoverable data. Write your master passphrase down once, store it somewhere physically safe, and rely on muscle memory after that.
A few managers worth knowing
Informational, not an endorsement. Evaluate each against your own threat model and review the vendor's most recent security disclosures. Last reviewed: January 2026.
Open-source, generous free tier, self-hostable. Strong default for individuals and small teams.
Polished UX, families and business plans. Secret Key adds a device-bound second factor to your master password.
Enterprise-focused with strong admin controls, SSO, and compliance reporting (SOC 2, FedRAMP).
Widely used. The 2022 breach is instructive: vault data was exfiltrated, and reporting linked subsequent attacks to vaults whose master passwords were weak or whose PBKDF2 iteration count was left at the legacy default of 5,000 (later raised to 600,000). The lesson — applicable to every vault — is that vault security depends on a strong master passphrase and a high KDF iteration count.
Web-first manager with built-in VPN and dark-web monitoring on paid plans.
Free, fully local vault file. You manage sync (e.g. via your own cloud). Best for users who want zero vendor trust.
References
Last verified: January 2026.
- NIST SP 800-63B Rev. 4 (current, finalized 2024) — U.S. federal authenticator standard. Source for the 15-character single-factor minimum, no-forced-rotation, and no-composition-rules guidance.
- NIST SP 800-63B (Rev. 3, historical) — Previous revision, superseded by Rev. 4. Kept here for historical reference.
- OWASP Authentication Cheat Sheet — Practical implementation guidance for password and authentication design.
- OWASP Application Security Verification Standard (ASVS) — Verification requirements for authentication controls at multiple assurance levels.
- PCI DSS v4.0.1 Document Library (June 2024) — Current PCI standard. Source for 12-character minimum in the CDE and the dynamic-analysis alternative to 90-day rotation.
- ISO/IEC 27001:2022 (Annex A 5.17) — and ISO/IEC 27002:2022 control 5.17 — 27001 mandates the control; 27002 provides the authentication-information implementation guidance.
- CIS Password Policy Guide — Consolidated, account-type-aware defaults; the basis for the policy table above.
- CIS Critical Security Controls — Broader controls framework that contextualizes account-management requirements.
- NCSC (UK) — Three Random Words — User-friendly guidance for memorable passwords, directly compatible with a quote-based seed.
- FIDO Alliance — Passkeys — The standards body behind passkeys / WebAuthn — the phishing-resistant successor to passwords.
- Hive Systems Password Table — Annual brute-force-time estimates. Note: the 2024+ table uses bcrypt; figures vary significantly by hash algorithm.
- Have I Been Pwned — breach & password exposure check — Free tool to check whether an email or password appears in known breach corpora.
External links open in a new tab. QuotePhrase is not affiliated with the organizations or products listed above.