The rules for password creation have changed in recent years, so you may have to unlearn some of the things you’ve been taught in the past about secure passwords.
The National Institute of Standards and Technology (NIST), the federal agency that created the original password guidelines, recently revised those guidelines. Its current recommendations are based on research on both the habits of users and the techniques of hackers. Here are some of their findings:
- Length is a major factor in a password’s strength, so the longer the password, the better.
- Complex passwords, with a mix of character types, are hard for people to remember, and do little to deter hackers.
- Strong passwords can be created from short phrases that are easy for you to remember, but would be meaningless to anyone else.
- Passwords may be used indefinitely as long as they’re strong and have not been compromised. Obviously, if you have an account with a company that just had a data breach, you’ll want to change that password.
Other Ideas on Secure Passwords
Changing passwords every 30, 60 or 90 days was recommended for thwarting hackers, but some security experts now question that tactic. Changing passwords on a regular schedule may have little security value and can lead to bad habits. Research has shown that people tend to make only minor changes when updating their passwords or create weak passwords that are easier for them to memorize. You’re better off creating a strong password, memorizing it and holding on to it.
While NIST has changed some of its guidelines, some of the old ones still apply. Don’t share your secure passwords with anyone, or leave them on sticky notes by your computer. Create unique passwords for important accounts, such as your bank account and your email, and avoid bad passwords such as “password,” “12345678,” “qwerty” and “iloveyou.”