Update passwords to more directly reference using a password manager

access/passwords.md

@@ -1,7 +1,7 @@
 ## PINs, Passcodes and Passwords
 
 ### Policy
-Strong passwords should be used for access to any company accounts and services. We recommend creating passwords with a minimum of 16 characters and a combination of alphabetic, numeric and special characters.
+Strong passwords should be used for access to any company accounts and services. We recommend creating most passwords with a password manager using the "Random Password" option with a minimum of 16 characters. Passwords that must be memorized should be a series of several random words, generated using a password manager's "Memorable Password" option.
 
 ### Scope
 This policy applies to all Lullabot employees and contractors.
@@ -10,12 +10,12 @@ This policy applies to all Lullabot employees and contractors.
 All employees and contractors are expected to create strong passwords for access to all Lullabot and client accounts.
 
 ### Explanation and Implementation
-The first layer of defense that we have for our online accounts is the PIN, passcode, or password. As such, it is extremely important to use good, unique passwords, and keep them well protected. A good password consists of a fully random string, the longer the better. Contrary to popular belief, the inclusion of numbers, characters, or mixed case does not matter nearly as much as the length of the password itself.
+The first layer of defense that we have for our online accounts is the PIN, passcode, or password. As such, it is extremely important to use good, unique passwords, and keep them well protected. A good password consists is hard for people to guess and machines to brute-force. Contrary to popular belief, the inclusion of numbers, characters, or mixed case does not matter nearly as much as the length of the password itself.
 
-Because the human brain is not capable of remembering long random passwords, we need the help of some sort of tool, like a [Password Manager](../access/password_managers.md).
+Because the human brain is not capable of remembering long random passwords, Lullabot provides access to a [Password Manager](../access/password_managers.md).
 
-Now that you are using one of these tools (right?), it is important to make sure that you are not using the same password on multiple services. Consider the event that one of these sites has its security compromised, and your username/password are discovered. Now, how many other places use that same combination? Are some of those important? Like maybe your email or bank accounts? This is why it is so important to use different passwords for different services.
+It is important to make sure that you are not using the same password for multiple services or accounts. Consider the event that one of these sites has its security compromised, and your username and password are discovered. Now, how many other places use that same combination, or easy to guess variations? Password leaks happen, and it is important that we defend our accounts and information from them as best we can.
 
-Also, because you are now using one of these convenient tools, and would not be able to remember your passwords if you wanted to anyway, you might as well make them all super-secure. The length of a password is its primary strength. The longer it is, the stronger it is. These days, most security experts suggest passwords of 12-16 characters, minimum. But what does it matter to you if you are using copy/paste anyway? Crank those suckers up to 32 characters and be safe for the next millennium.
+With the use of a password manager, you no longer need to memorize each password. Passwords will be filled automatically, or can be copied and pasted in. The length of a password is its primary strength. The longer it is, the stronger it is. While our policy states a minimum of 16 characters because some poorly designed systems do not allow for longer passwords, in most cases it is fine to go up to 20 or 30 characters long.
 
-Finally, you should be wary of services that impose password limits, especially if they limit the length of the password. Any service that cares even a little about your security will store passwords using a well salted, secure hash which makes any password, regardless of length fit into a common length string. There is no excuse for a service to tell you that your password cannot be longer than 16 characters. If they do, they are most likely storing passwords insecurely, and if that is true, what other security protocols might they be skimping on?
+Finally, you should be wary of services that impose password limits, especially if they limit the length of the password to less than 16 characters. While services may impose a large limit on password length (such as 32 or 64 characters), limiting passwords to low lengths or limited characters indicates they are not storing passwords securely.