For more than a decade, we’ve been told to use “strong” passwords that combine upper- and lower-case letters, numbers and special characters. Not only must passwords be long and complex, the mantra went, but a different password was needed for each online account – changed to another unique (and mind-numbing) letters/numbers/symbols combination every 90 days or so.
Now, the man who originally developed those password rules in 2003 as official guidance for government employees says you should forget all that.
Why the takeback? Because following those %&$#?@!-inspiring but apparently misguided guidelines “just drives people bananas and they don’t pick good passwords no matter what you do,” Bill Burr, now 72 and retired from his job as a manager at the National Institute of Standards and Technology, told the Wall Street Journal.
Apparently, most folks couldn’t choose and remember dozens of criteria-meeting, jibberish-intended passwords like “jK&80+y$/hh#&9v+.” So they opted for something they could remember like “MyWe@kP&55w0rd1.” And when (or if) those passwords were updated, they made predictable changes like switching 1 to 2 for a newer “MyWe@kP&55w0rd2.” Hackers weren’t fooled.
Now, the NIST has new guidelines, written with Burr’s input. Passwords should be long and easy to remember, with no mandatory “combinations” or periodic changes. Although there’s no guarantee that NIST’s more user-friendly advice will be adopted by consumers or password-requiring websites, here are some specifics:
- Passwords should be at least eight characters and up to 64 characters long. Longer is stronger, as password length is the best contributor to its strength.
- Rather than seeing a combination of letters, numbers and special characters as a requirement, emphasize what’s easy to remember (while long) – without forced combinations. Today’s leading advice by other experts is to create a memorable pass phrase or sentence in the double digits, such as “Rufus has loved belly rubs since puppyhood,” a line from a favorite song, or combining nonsensical words such as “OceanographicPeachesSimplicity.”
- Forget the 90-day rule (as if you really followed it), the Federal Trade Commission advised last year, because it usually results in weaker replacements. Instead, change passwords when there’s a reasonable threat, such as a data breach.
- Websites (and you) should prohibit the use of passwords known to have been previously stolen, simple dictionary words and repetitive or sequential characters like "12345678" or “qwerty.” Another don’t: using passwords that contain the name of the user, service provider or other account-related information.
All good advice from NIST, but there’s more you can (and should) do for better, less-hackable passwords:
- Check ’em. Before selecting a password, do an online search of “Password Checkers” to gauge its strength. Also review frequently issued “Worst Passwords” lists for absolute no-nos – “password,” even tweaked, usually ranks high – and check if your passwords have been compromised against 306 million that have been. Meanwhile, a recent study by password manager Dashlane ranks popular websites on their password security policies.
- Vault ’em. A password manager removes the guesswork of having to remember many passwords. With these apps – some freebies and others with added features for up to $50 a year covering several devices – you need to remember only one master password (so make it good), and it remembers your log-in information at different websites. Some password managers also generate strong passwords, changed with each log-in.
- Reinforce ’em. With two-factor authentication, there’s an extra layer of security to vital digital accounts. To access your account, you supply two factors – your password (something you know) and something you have, such as your smartphone, fingerprint or iris scan. For instance, when you log in with your usual password, the two-factor authentication site sends your phone a six-digit code that must be entered before gaining access. Check twofactorauth.org for websites that offer two-factor authentication.
For information about other scams, sign up for the Fraud Watch Network . You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud. Keep tabs on scams and law enforcement alerts in your area at our Scam-Tracking Map .
Also of Interest
- There’s no question about FBI ‘questionnaire’ email: It’s a new ransomware scam
- Post-disaster scams: Fallout fraud from Hurricane Harvey
- Get help: Find out if you’re eligible for public benefits with Benefits QuickLINK
- Join AARP: Savings, resources and news for your well-being
See the AARP home page for deals, savings tips, trivia and more.