Vendors of newer security tools such as biometric, token, and smartcard technologies can decrease confidence in passwords and might divert attention away from the fundamentals of good security practice, but there is not reason to stop trusting well-managed passwords. Token-based authentication generates a random series of digits so that keylogging is useless for stealing of passwords. Passwords, when done well, are almost as good as tokens, which are costly as a system implementation. Password best practice is best explained in terms of what not to do. IT should not leave default usernames and passwords from the manufacturer on newly installed systems, and password change frequency rules can be too short term, since people will write down passwords if they have to change them too frequently. Users should be educated about the use of passwords instead of being forced to frequently change them (which can lead to creation of easier to remember and more crackable passwords). Six months is probably a feasible change period. To prepare for a possible hit on the database that contains authentication information, companies should find out what the processes are for password encryption and restriction of access to password storage systems. A procedure should be in place so that if the store is compromised, the problem can be addressed effectively. Among other topics related to effective password user covered are use of numbers and letters, the password as preferable for its flexible, autonomy, and control, and security as a process, rather than a device.