What is a password policy and what makes a strong password?

A password policy defines rules for creating and managing passwords in an organization. Modern guidance (NIST SP 800-63B) focuses on: Length over complexity: a long passphrase (16+ characters) is stronger than a short complex password. No forced rotation: forced periodic changes lead to weak patterns (password1 → password2). Change only when compromise is suspected. No composition rules: rigid rules (uppercase, numbers, special chars) reduce entropy. Check against breached password lists (HaveIBeenPwned API). MFA: the most effective additional control. A strong password characteristics: (1) Long (12-16+ characters minimum). (2) Random (not dictionary words or predictable patterns). (3) Unique (different for every site). (4) Managed with a password manager (LastPass, 1Password, Bitwarden). (5) Combined with MFA. Avoid: dictionary words, personal info, sequential numbers, common patterns (P@ssw0rd).