You’ve heard it all when it comes to creating hard-to-guess passwords. Use a mix of upper- and lower-case letters. Be sure to include special characters. Change your passwords every three months. These recommendations have created a messy alphabet soup of passwords for many people, who then get frustrated and constantly have to reset forgotten passwords. But there’s hope for a better way as experts are revising what it takes to have secure passwords.
The U.S. government’s National Institute of Standards and Technology recently issued a new set of password guidelines and it changes some of the advice we used to take for granted. While the guidelines are meant for government agencies, private businesses have adopted the NIST suggestions in the past, so this could be the start of a major sea change in how passwords are handled.
This should come as a relief to people who struggle with managing their passwords and meeting all the esoteric requirements we’ve been told to use. Check out the latest tips for safe passwords:
Use a phrase
Passwords guru Bill Burr used to work for the U.S. government to develop password guidelines. He’s one reason why we all use special characters, mixed cases, and numbers. Now, he’s a proponent of the passphrase, a string of words that you can easily remember, but that will be hard for anyone else to crack. Click here to see why passphrases work more effectively than a random selection of letters.
The new NIST guidelines suggest allowing users to create passwords up to 64 characters in length with an allowance for spaces between words. While many people just try to meet the bare minimum requirement of using eight characters, you will get a much stronger password by stretching things out.
This means a totally new approach to passwords where you could use your pets’ names from childhood, like “fluffy princess rex spike booboo chewie,” or all the streets on the way to your favorite restaurant, like “academy main washington ohio central.” Easy to remember. Hard to crack.
Don’t change your password unless you have to
The old advice of changing your password at least every three months is now out the window. NIST’s Paul Grassi told the Institute of Electrical and Electronics Engineers, “Expiration isn’t a motivator to create a brand new password, it’s motivation to shift one character so you can remember the password.”
If you’ve created a strong password, then don’t worry about changing it out all the time. Just stick with it unless you’ve been notified of a security breach that requires a password reset.
Choose something memorable for you
The NIST calls passwords “memorized secrets.” The memorized part is important. You want to avoid the temptation to write down passwords, so pick a password that has enough meaning to you to stay in your mind. This is when phrases can work very well.
It may take websites time to catch up to the latest NIST guidelines, but you can still create a memorable password that meets current restrictions. Go back to Burr’s advice on passphrases. You might choose something like “ArizonaCardinalsfootballisnumber1!” or “Igivemyjob100%everyday.” Those meet the requirements of having at least eight characters, a special character, and upper and lowercase letters.
Create passwords for categories of sites
Everyone has heard the advice to use a different password for every site, but few people follow it because it’s so difficult to remember a million completely different passwords. Grassi offers up a modified version of this, by recommending different passwords for different categories of sites.
For example, you would use one password for banking and credit card sites, a different password for online retailers, and still another password for your social media accounts. That way you can keep the number of passwords down to a reasonable amount. If a password is compromised, then you only have to change out the passwords for similar accounts.
This shift in password strategy is good news for everyone except cybercriminals. Long, easy-to-remember unique phrases can take the frustration out of managing your passwords. Your accounts will be more secure and you’ll spend less time fiddling with resets. It will also be harder for someone to crack your accounts.
The new NIST guidelines should trickle into the wider world outside the government, so we can look forward to password requirements being both secure and sensical. In the meantime, you can go ahead and implement passphrases and categories and stop worrying about constantly coming up with new passwords.