Shattering the Myths of Password Rules Cheat Sheet by pryl

Myth: Written passwords can be stolen.

Truth: Never fear writing your passwords down. Ironic­­ally, the dread of a physical thief causes people to create weak, easily hackable passwords.
Security profes­­si­onals agree—it is vastly safer to write complex, 16-cha­­racter passwords in a physical notebook kept secure at home than to memorize weak passwords

Myth: It's always a good idea to change the password after every few months.

Truth: Don't bother updating your password regularly. Sites that require 90-day -- or whatever -- password upgrades do more harm than good. Unless you think your password might be compro­mised, don't change it.
Check if your password is already been leaked in a historical data leak: https:­//h­ave­ibe­enp­wne­d.c­om/­Pas­swords

A survey of 200 people conducted by security outfit HYPR has some alarming findings.
For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.
Forced changes don't trick hackers; they just exhaust users into creating predic­table patterns that automated cracking tools guess. Keep a strong password until a breach actually demands a change.

Phishing: Attackers don't always hack their way in; often, they just ask. Phishing involves deceptive emails, fake login pages, or spoofed messages designed to trick you into volunt­arily typing your creden­tials directly into a hacker's database.

Network Sniffers: If you connect to insecure or unencr­ypted Wi-Fi (like public hotspot networks), attackers can deploy "­sni­ffe­rs". This software intercepts data moving through the airwaves, capturing any passwords transm­itted in plain text.

Keyloggers: This malicious software or hardware silently infects a device to record every single keystroke you type. It captures your master passwords and PINs in real-time, completely bypassing browser encryp­tion.

Brute force or Cracking: Using specia­lized software, hackers cycle through millions of character combin­ations or known common phrase lists per second until they guess the correct match.

Weak passwords: Short, predic­table passwords that are just too easy to guess. Here's a list of some of the most common and unsafe passwords: https:­//e­n.w­iki­ped­ia.o­rg­/wi­ki/­Lis­t_o­f_t­he_­mos­t_c­omm­on_­pas­swords

Reuse of passwords and use of compro­mised passwords: Reusing identical combin­ations across multiple platforms, or continuing to use a phrase after it has appeared in a known public data leak.

Clear text passwords in code and config. files: Leaving passwords written in plain, unencr­ypted text inside software source code or system config­uration files where anyone with server access can read them.

Diceware method ensures that the words you're picking are actually random rather than what you think is random. The passwords are also super easy to remember.
When using this method, make sure that the passwords are atleast 6 words long.
Passph­rases of six words or more are considered safe for online banking, or high-s­ecurity applic­ations.
Four words only provide about the same entropy as an 8 character password made up of random ASCII charac­ters.

According to the creator of Diceware Reinhold, six words may be breakable by an organi­zation with a very large budget, such as a large country's security agency. Seven words and longer are unbrea­kable with any known techno­logy, but may be within the range of large organi­zations by around 2030. Eight words should be completely secure through 2050.

Here's a good explan­ation of how this method works by Comput­erp­hile:
Diceware & Passwords - https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=P­e_3­cFuSw1E

Interested in learning more about Diceware: https:­//t­hew­orl­d.com/reinho­ld/­dic­ewa­ref­aq.html
Diceware method is even recomm­ended by EFF. https:­//w­ww.e­ff.or­g/dice


Here are some Diceware lists you can use:
https:­//w­ww.e­ff.or­g/f­ile­s/2­016­/07­/18­/ef­f_l­arg­e_w­ord­lis­t.txt
https:­//w­ww.e­ff.or­g/f­ile­s/2­016­/09­/08­/ef­f_s­hor­t_w­ord­lis­t_1.txt
https:­//w­ww.e­ff.or­g/f­ile­s/2­016­/09­/08­/ef­f_s­hor­t_w­ord­lis­t_2­_0.txt
https:­//w­ww.r­ub­in.c­h/­pgp­/di­cew­are.doc
https:­//t­hew­orl­d.c­om/­%7E­rei­nho­ld/­bea­le.w­or­dli­st.asc
https:­//d­ocs.go­ogl­e.c­om/­spr­ead­she­ets­/d/­1Kz­Fgl­mCK­r4Q­8AW­OFE­5QF­ywO­uSd­RA_­DDF­s1M­9BF­XGZ­L4/­edi­t?u­sp=­sharing
https:­//w­eb.a­rc­hiv­e.o­rg/­web­/20­080­312­042­519­/ht­tps­://­www.ib­m.c­om/­dev­elo­per­wor­ks/­lib­rar­y/s­-pa­ss2­/in­dex.html

If you are lazy, or just don't want to manage the effort to roll the dice, use these altern­atives: https:­//w­ww.m­ou­sew­are.org/
https:­//d­ice­war­e.r­emp­e.u­s/#eff

Myth: One can completely eliminate passwords by switching to FaceID or finger­print readers.

Truth: Biometrics replace usernames, not passwords. Your face or finger­print identifies who you are, but your biometrics aren't a secret. Passwords are secrets.

Passwo­rdless means passwords will be used less. It doesn't mean they disappear completely

There are commercial programs that do password cracking, sold primarily to police depart­ments. There are also hacker tools that do the same thing like https:­//o­pen­wal­l.c­om/­john/
As computers have become faster, they're able to test more passwords per second, 10s of millions per second. These crackers might run for days, on many machines simult­ane­ously. For a high-p­rofile police case, they might run for months.

The efficiency of password cracking depends on two largely indepe­ndent things: computing power and efficiency(ability to guess passwords cleverly, e.g. try the most common passwords first).

Use these password generators (make sure to change password length to atleast 16 characters): https:­//w­ww.i­nt­uit­ive­pas­swo­rd.c­om­/en­/To­ols­/Pa­ssw­ord­Gen­erator
https:­//u­s.n­ort­on.c­om­/fe­atu­re/­pas­swo­rd-­gen­era­tor­#pa­ssw­ord­_ge­nerator

Password generation using abbrev­iated phrases: https:­//r­mmh.gi­thu­b.i­o/a­bbrase/

Password generator android app: https:­//p­lay.go­ogl­e.c­om/­sto­re/­app­s/d­eta­ils­?id­=de.ar­ege­l.a­dva­nce­dpa­ssw­ord­gen­erator

A password manager is a software program that prevents password fatigue by automa­tically genera­ting, autofi­lling, and storing passwords. Here are some you can download and use for free:

RoboForm: It has been a reliable name in password management since 1999. Its free version offers great value with unlimited logins on a single device, and college students can even grab a full year of premium for free. For users on the move, it features a unique portab­ility option that lets you run the app directly from a USB drive across different computers.

Bitwarden: Offers a transp­arent, commun­ity­-vetted archit­ecture ideal for modern, secure syncing across devices.

KeePass: Provides total isolation by storing passwords strictly in a local, encrypted database (no automatic syncing). As FOSS, its massive ecosystem of third-­party plugins allows endless functi­onality extensions across almost any device, browser, or platform.

If a site offers multi-­factor authen­tic­ati­on(MFA), seriously consider using it. It adds a critical extra layer of defense by requiring multiple pieces of evidence to prove your identity:
What you know: Passwords, PINs, or security questions.
What you have: Mobile apps (software tokens), hardware keys, OTP SMSs, emails, or digital certif­icates.
Who you are: Biometrics like finger­prints or facial recogn­ition.
Where you are: Locati­on-­based checks like your IP address or GPS.

https:­//c­ypr­ess­dat­ade­fen­se.c­om­/bl­og/­pas­swo­rd-­sec­uri­ty-­risks/
https:­//w­eb.a­rc­hiv­e.o­rg/­web­/20­220­214­162­332­/ht­tps­://­out­lin­e.c­om/­dqfuqL
https:­//g­rah­amc­lul­ey.c­om­/49­-of­-wo­rke­rs-­whe­n-f­orc­ed-­to-­upd­ate­-th­eir­-pa­ssw­ord­-re­use­-th­e-s­ame­-on­e-w­ith­-ju­st-­a-m­ino­r-c­hange/
College students can get Roboform free for an year: https:­//w­ww.r­ob­ofo­rm.c­om­/pr­omo­tio­ns/­col­leg­e-v­erify
Check the strength of your password: http:/­/pa­ssw­ord­-ch­eck­er.o­nl­ine­-do­mai­n-t­ool­s.com/
Making a secure password by the security expert Bruce Schneier: https:­//w­eb.a­rc­hiv­e.o­rg/­web­/20­190­825­152­420­mp_­/ht­tps­://­boi­ngb­oin­g.n­et/­201­4/0­2/2­5/c­hoo­sin­g-a­-se­cur­e-p­ass­wor­d.html
https:­//w­eb.a­rc­hiv­e.o­rg/­web­/20­211­228­191­634­/ht­tps­://­ars­tec­hni­ca.c­om­/in­for­mat­ion­-te­chn­olo­gy/­201­4/0­3/d­ice­war­e-p­ass­wor­ds-­now­-ne­ed-­six­-ra­ndo­m-w­ord­s-t­o-t­hwa­rt-­hac­kers/