- AARP Blog - https://blog.aarp.org -

New Rules for Password Protection

Photo Credit: iStock/Daviles

For more than a decade, we’ve been told to use “strong” passwords that combine upper- and lower-case letters, numbers and special characters. Not only must passwords be long and complex, the mantra went, but a different password was needed for each online account – changed to another unique (and mind-numbing) letters/numbers/symbols combination every 90 days or so.

Now, the man who originally developed those password rules in 2003 as official guidance for government employees says you should forget all that.

Why the takeback? Because following those %&$#?@!-inspiring but apparently misguided guidelines “just drives people bananas and they don’t pick good passwords no matter what you do,” Bill Burr, now 72 and retired from his job as a manager at the National Institute of Standards and Technology, told the Wall Street Journal.

Apparently, most folks couldn’t choose and remember dozens of criteria-meeting, jibberish-intended passwords like “jK&80+y$/hh#&9v+.” So they opted for something they could remember like “MyWe@kP&55w0rd1.” And when (or if) those passwords were updated, they made predictable changes like switching 1 to 2 for a newer “MyWe@kP&55w0rd2.” Hackers weren’t fooled.

Now, the NIST has new guidelines, written with Burr’s input. Passwords should be long and easy to remember, with no mandatory “combinations” or periodic changes. Although there’s no guarantee that NIST’s more user-friendly advice will be adopted by consumers or password-requiring websites, here are some specifics:



All good advice from NIST, but there’s more you can (and should) do for better, less-hackable passwords:


  1. Check ’em. Before selecting a password, do an online search of “Password Checkers” to gauge its strength. Also review frequently issued “Worst Passwords” lists for absolute no-nos – “password,” even tweaked, usually ranks high – and check if your passwords have been compromised against 306 million that have been. Meanwhile, a recent study by password manager Dashlane ranks popular websites on their password security policies.
  2. Vault ’em. A password manager removes the guesswork of having to remember many passwords. With these apps – some freebies and others with added features for up to $50 a year covering several devices – you need to remember only one master password (so make it good), and it remembers your log-in information at different websites. Some password managers also generate strong passwords, changed with each log-in.
  3. Reinforce ’em. With two-factor authentication, there’s an extra layer of security to vital digital accounts. To access your account, you supply two factors – your password (something you know) and something you have, such as your smartphone, fingerprint or iris scan. For instance, when you log in with your usual password, the two-factor authentication site sends your phone a six-digit code that must be entered before gaining access. Check twofactorauth.org for websites that offer two-factor authentication.


For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud. Keep tabs on scams and law enforcement alerts in your area at our Scam-Tracking Map.

 Also of Interest

See the AARP home page for deals, savings tips, trivia and more.