Link. Good reference for a practice most of us follow. NIST was supposed to update its guidance. Omits problem that passwords must be tappable. That’s a big one.