Password

Passwords remain the most common “something you know” factor and the weakest link — reused, phished, and guessed. Current NIST guidance favors length over forced complexity, drops mandatory periodic rotation (which pushes users toward weak patterns), and screens new passwords against known-compromised lists. Passwordless authentication (passkeys, FIDO2) is the long-term direction precisely because it removes the shared secret attackers target.