KnowBe4 Password Policy

In 2022, KnowBe4 released its first e-book covering password attacks, defenses and what your corporate password policy should be. Here is a summary of their recommendations:

☑️​ Whenever possible, use phishing-resistant Multifactor Authentication (MFA).

☑️​ Use MFA and / or long passwords or passphrases to log on to your devices.

☑️​ If you can, use a password manager.

☑️​ 12-character, perfectly random, 4-class passwords defeat all known guessing/cracking attacks.

☑️​ If you must think up a password yourself, create a unique and long password or passphrase (at least 20 characters) for all sites and services.

I’m interested in how we translate this corporate-directed advice into something actionable for ordinary people, outside of organizations with infosec budgets.

Especially interesting is the fact that — as far as we’re aware — no one has cracked a 12-character, random 4-class password. I’ve circled that below in red . . . kinda rough . . . I’m no graphic designer, for sure!

Have you heard of this kind of password being cracked out in the wild?

Link to the KnowBe4 blogpost:

— Anthony Collette

Scroll to Top