The New Password Rules: Everything You Thought You Knew Is Wrong

The New Password Rules: Everything You Thought You Knew Is Wrong


It turns out that everything you thought you knew about creating a secure password is wrong.

You know the rules: mix letters and numbers, use special characters such as pound signs and exclamation points, use both capital and lowercase characters, make it 10 to 12 characters long, and make sure it isn’t an actual word or phrase. Something like U2kx9H3&*7q! would be ideal. Plus, change that password every 30 to 90 days. These strong password rules have been adopted by companies, the government, and websites.

Well, guess what? The guy who came up with those rules says they’re all wrong. Turns out they aren’t that effective. Yes, it’s safer than 123456 or “password” as a password. But how much safer?

Bill Burr came up with these rules almost 15 years ago while working for the National Institute of Standards and Technology. It turns out that since the passwords people create that fit the rules are harder to remember, so they tend to go for the simple ones, and when they change them, they often only change one or two characters. Also, knowing that a site requires one capital letter and one special character can tip hackers off when guessing a password.

Most hackers don’t try to guess your password manually. They use a program that generates combinations of letters and numbers, trying every one that’s available. So you end up with passwords that people have problems remembering but that computers can guess pretty easily.

So, what are the new rules?

• No more changing passwords every month or two

• Get rid of requirements for upper and lower case letters, numbers, and special characters

• Create a password up to 64 characters in length. An uncommon phrase familiar only to you is a good choice. For example: “auntsallylovesgreentomatopicklesbutonlyinseasonwithhomemadebread”

• Check all your passwords against lists of frequently used passwords or passwords that have been compromised. Click here to visit PWNED Passwords. This site will let you know if your password has been used in any data breaches.

Though many tech companies have been pushing for more biometrics, the new NIST rules warn against relying too heavily on facial recognition, fingerprints, and retina scans, saying these should be only one part of security.

These are some of the suggestions for businesses and others to make accounts secure:

• Don’t allow security questions or password hints.

• Force a delay of at least 30 seconds after a failed password attempt.

• Allow no more than five consecutive attempts to input a password before the account is shut down.

• Require multi-factor authentication.

• Do away with requirements for special characters, capital letters, and numbers.

• Allow passwords up to 64 characters in length.

• Don’t require users to change passwords unless there’s an issue.

These new tips certainly would make password security easier and better.

~ Cyn
Courtesy of Cyn’s Tech Tips