For more than a decade, the rules for creating passwords have been pretty clear — use a combination of lower-case and upper-case letters, add some numbers, and be sure to include a random exclamation point or at symbol somewhere in the mix. This is how you create the strongest possible password, right?
Not so fast. Bill Burr, the man who wrote the book on the subject, recently revealed to The Wall Street Journal that we’ve been thinking about passwords all wrong. Let’s review why these rules didn’t work, explore the new guidelines for creating more secure passwords, and examine why it’s important to choose the strongest possible passwords regardless of the minimum requirements any given company outlines.
Why the old rules for creating passwords haven’t worked
Until August 2017, the industry standard for creating a secure password remained unchanged for 14 years. Since 2003, the rule was to create long, alphanumerical passwords with special characters and to update those passwords every 90 days. Bill Burr, who developed these practices during his tenure at the National Institute of Standards and Technology (NIST), now admits this was a mistake. At the time, his rules were based not on real-world password data, but instead on an unknown paper written in the mid-1980s.
His advice turned out to be poor for many reasons: Most people just couldn’t remember such a complex arrangement of numbers, letters, and special characters, leading to predictable password combinations. Further, mandatory password changes allow hackers to determine a pattern, like switching out the numbers “2016” for “2017.”
How to create the most secure passwords possible
Although he no longer works for his former agency, Burr recently came out of retirement to help NIST develop a new set of directions aimed at improving password creation. Regardless of the minimum password requirements outlined by any organization, users should follow these new NIST digital identity guidelines when generating passwords:
- Password length should range somewhere between eight and 64 characters
- Use a series of words or phrases you can easily remember, like “rabidelephantsdancewildly”
- Stop changing your password every 90 days, and instead only change passwords when there’s a reasonable threat, like a data breach
- Consider using a password vault that encrypts your passwords — then, you just have to worry about remembering one password
- When possible, use two-factor authentication that requires you to verify a login through secondary means, such as sending a code via text or email
Create the strongest possible password every time
The bottom line is that you cannot wait for companies to react. When you create a new password or update an existing one, you should focus on generating the most secure password possible every time. Just because a site, company, or app declares that you have a “strong” password doesn’t mean it’s true. Often, this only indicates you’ve met whatever minimum requirements they deemed necessary. It doesn’t prove that your password is as secure as it can and should be.
In today’s new reality, meeting the minimum requirements is no longer good enough. It’s imperative you take every step you can to protect yourself.
To stay up-to-date on all things related to cybersecurity, identity theft, and privacy protection, be sure to follow our blog. If you’d like to learn more about how you can avoid threats posed by hackers, be sure to download our complimentary eBook, Phishing for Dollars: How Identity Theft is Leaving Businesses and Employees on the Hook.