Usernames & Passwords
If you must use a password that you need to remember and type in then use MFA (Multi-Factor-Authentication).
If you must use a password and cannot use MFA, make sure the password is at least 14 characters in length (use longer if you can) and is randomly generated. Use a password manager (with a strong master password and/or MFA). If you can't cut & paste, use a password manager with autotype functionality (e.g. KeePass).
Use ssh key exchange for unattended accounts where possible (but make sure the private keys are secure... i.e. on an unencrypted drive behind a login with a weak password is NOT secure. Use passphrases to compensate but, really, keep them secure.)
Avoid use of password hints. If you have to use them (because an app forces you to), be mindful of how the information could be used to make hacking your password easier.
<< NOTE: This oft-cited XKCD scheme for generating passwords — string together individual words like “correcthorsebatterystaple” — is no longer good advice.
https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.htmlWhen it comes to composition and length, your password (mostly) doesn’t matter.
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984
SCRAM vs MD5
SCRAM = Salted Challenge Response Authentication Mechanism
MD5 is no longer considered secure.
Which one am I using?
Bibliography
https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanismhttps://info.knowbe4.com/wp-password-policy-should-behttps://www.cisecurity.org/insights/blog/cis-password-policy-guide-passphrases-monitoring-and-more
usernameshttps://security.stackexchange.com/questions/184344/why-use-usernames-and-not-just-email-addresses-to-identify-users/184347 https://security.stackexchange.com/questions/57762/log-in-with-email-is-more-secure-than-a-username/142717 https://stackoverflow.com/questions/1303575/what-are-the-pros-and-cons-of-using-an-email-as-a-username https://www.rfc-editor.org/info/rfc8265
passwordshttps://techcommunity.microsoft.com/t5/azure-active-directory-identity/your-pa-word-doesn-t-matter/ba-p/731984https://www.microsoft.com/en-us/research/publication/password-guidance/https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdfhttps://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/tr-2007-64.pdf (Do Strong Web Passwords Accomplish Anything?)https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.htmlhttps://www.tomsguide.com/us/hacker-tool-keepass,news-21782.html