The National Institute of Standards and Technology (NIST), founded in 1901, is now part of the U.S. Department of Commerce. NIST develops industry-wide frameworks and guidelines, including a range of cybersecurity recommendations and resources. It advises against the use of knowledge-based authentication methods, such as personal questions, due to their susceptibility to being easily guessed. Instead, NIST recommends three simple principles for securing passwords, PINs, and passphrases: they should be long, complex, and random.

• Long -- 15 characters minimum
• Complex -- hard for computers to guess, easy for humans to remember
• Random -- if a human can create it a computer can guess it.