For 30 years, researchers have been trying to measure password security and get humans to make more secure passwords. However, due to inherent challenges in measuring security effectively, much of the prevailing wisdom about passwords has been based on guesses, assumptions, and hopes. For five years, our passwords team has been working to bring more rigor to the analysis of security and usability tradeoffs for passwords. In the process, we pioneered crowdsourced approaches for generating password data, evaluated how effectively these approaches reflect the real world, developed comprehensive new approaches to measured password security in terms of intelligent attackers' guessing strategies, and developed recommendations for encouraging users to create secure and usable passwords. In this talk, I'll particularly highlight our work on improving how password research is done, both by analyzing how various sources of password data compare to real passwords "in the wild" and by examining how well popular security metrics correspond to the guessing effectiveness of real, professional password hackers.