Project:Infrastructure/Password policy

Client-side requirements
When using password authentication to Gentoo services and other systems that affect Gentoo, please:
 * Use strong passwords to improve brute-force resistance — long (12 characters at the very least) and using a diverse symbol set (lowercase and uppercase letters, digits, symbols).
 * Do not use passwords resembling dictionary words (in any language), names, dates or other publicly available information regarding yourself, as well as their trivial combinations or transformations.
 * Do not ever use the same password for two different domains, as that creates a risk of password reuse attack when the site is compromised (plus, some sites even mail your password back in cleartext!).
 * Do not ever write your password down or store it in cleartext on permanent storage.
 * If you really need to save it, make sure it's encrypted before writing and/or use tmpfs with appropriately restricted permissions.
 * If you ever need to display it, make sure nobody can see it.
 * Use separate API keys for script use (rather than your main password) wherever available.
 * Enable two-factor authentication wherever supported. This will provide a second barrier if your password is compromised.
 * If there's even the slightest risk that the password could be compromised, rotate it!
 * Accidentally typing part of the password to your browser address bar counts as well (if it has suggestions enabled, the search provider just got your password).
 * If you had to use your password in an insecure location (e.g. somebody else's computer), rotating it may be a good idea as well.
 * Even when you're unaware of any events that might compromise your password, rotating it periodically is a good practice.