Which of the following are components of a strong password based on general cybersecurity best practices? (Choose all that apply.)
Does not contain a word that can be found in a dictionary.
Contains no personal information about you, your family, or business that others might guess.
Must be 25 characters or more.
Contains numbers, symbols, and upper- and lowercase characters.
The Correct Answer and Explanation is:
According to cybersecurity best practices (e.g. NIST and CISA guidelines), a strong password typically:
- Avoids dictionary words (no plain words found in any dictionary).
- Avoids personal information (no birthdays, names, or easily-guessable personal/business data).
- Uses mixed characters (a combination of numbers, symbols, upper- and lowercase letters).
These features make passwords complex and unpredictable. For example, NIST’s SP 800-63B explicitly calls out “dictionary words” as values to reject when users create passwords, and CISA similarly warns “do not use words that can be found in any dictionary” and not to base passwords on personal info. Attackers use automated dictionary and social-guessing attacks, so avoiding common words and personal data thwarts those methods.
Mixing character types greatly expands the number of possible passwords and raises entropy. CISA’s guidance shows that a strong password might include upper/lowercase letters, digits and symbols (for example, a 28-character password mixing all these types). CISA also recommends using random strings of mixed-case letters, numbers, and symbols for maximal strength. (Modern NIST guidelines no longer require composition rules, but experts agree that such complexity makes passwords far harder to crack.)
Finally, memorability should not be sacrificed. Using a long passphrase or mnemonic helps. For instance, CISA suggests taking a phrase and using its first letters (e.g. “I like to play basketball” → “IlTpBb”, then adding a symbol/number to make “Il!2pBb”), which yields a non-dictionary, mixed‐character password that is still memorable. In summary, best-practice passwords are long and unpredictable: no common words or personal hints, plus varied characters.
Selected: (1), (2), and (4). These match authoritative advice from NIST/CISA and security experts emphasizing complexity and memorability.