Good password practices

You can always do more to protect your customers' data and your brand's reputation against data breaches and cyber-attacks. This resource can help you enhance the overall account security for your brand and raise awareness about the latest password best practices released by the National Institute of Standards and Technology (NIST).

Strivacity's following password quality settings, aligned with NIST's 800-63 cybersecurity framework, are the most effective in making secure passwords:


Strivacity also supports long-standing but less effective password security practices that are not part of NIST recommendations, such as regular password updates or password complexity rules.

Breached password detection

Millions of passwords fall into the hands of bad actors due to frequent data breaches. Breached passwords pose the number one security risk to accounts: users can unknowingly pick exposed passwords, paving the way for credential stuffing and other account takeover attacks. Luckily, white-hat actors exist who can take this large set of exposed data and employ it for better account security.

Breached password detection—relying on the open-source Have I Been Pwned (HIBP) breached password package—prevents customers from using passwords that have been exposed in the past. By activating this feature, you eliminate a vulnerability that poses serious threats to accounts. Once enabled, Strivacity will automatically screen user-provided passwords against a vast database of leaked passwords.

Length over complexity

Increasing the length of a password adds more to security than squeezing in a few upper-case letters and symbols into the shortest possible character string.


You can set the minimum length of a password in password strength settings. Strivacity doesn't allow for passwords shorter than 8 characters by default.

Hard-to-guess passwords

One way of not giving malicious attackers a head start is to reduce the predictability of passwords. For this reason, personal identifying information should never be included in passwords, no matter how convenient they seem.


Password guessing avoidance can be effectively applied to generate better passwords.

Password managers

Password managers can stop people from using the same password across multiple platforms. These services store various sign-in credentials encrypted for dozens of accounts, sparing users quite a few headaches. Secure passwords are generated in no time.

Strivacity supports password suggestions coming from password manager services by default.


There are plenty of password manager services available, from convenient in-browser tools to cross-browser commercial applications. Customers only have to find which one works best for them.


You also have the option to eliminate all the hassle that comes with password-based authentication by simply going passwordless.

With the release of the FIDO2 standards-based protocol, the rise of biometric-capable devices, and the widespread use of roaming authenticators, passwordless authentication is becoming a viable option for more and more companies and an everyday convenience for users.

You too can tap into passwordless workflows and device-based authentication with Strivacity's FIDO authentication support.

Other password practices

In case your organization needs further password practices, such as regular password reset, or specific password strength settings, such as sequential character restriction, you can incorporate these practices into your requirements.

Strivacity supports these widely recognized practices but does not recommend them, adhering to NIST guidelines. These practices are no longer part of recommended password practices because they've proven over time to be ineffective in reaching the ideal password security.

About password strength

Apart from the minimum password length requirement, Strivacity does not recommend other password complexity requirements. They can create a bad experience for customers and drive them to create predictable passwords such as ‘Password123!'.


We recommend a minimum password length plus enabling breached password detection for a good balance of security and usability.

Regular password resets

Although a long-standing practice, password lifetime has little to no security benefits. Users usually make small and predictable changes when forced to update passwords, virtually re-creating the same one. They can also recycle previously used passwords for convenience if no restrictions apply. This could pose security threats to accounts if a password is commonly known or has been compromised in the past.

Password history settings

You can prevent the re-use of a set number of previous passwords combined with a time period users are not allowed to pick passwords from. This way users can't go on creating passwords until they can use their regular ones.

Character restrictions

Not allowing repeating or sequential characters can also be a helpful technique for crafting passwords that are hard to crack.