How many of your online passwords include uppercase and lowercase letters, numbers, and special characters? It’s probably because of a document from 2003 that you’ve never heard of.
The author of the U.S. Department of Commerce National Institute of Standards and Technology’s NIST Special Publication 800-63. Appendix A tells The Wall Street Journal he made a mistake 14 years ago when he recommended a secure password include a complex formula and get updated often.
The 2017 version of that NIST publication explains that password complexity not only makes it harder for people to memorize their passwords but also wasn’t necessarily making them more secure. In addition, it says that passwords only need to be updated when there’s been a breach, like when you hear hackers hit your bank or favorite online shop.
What makes a password more secure?
Forget capitalization, numbers, and characters. Use a long string of random words you can remember. The updated NIST publication says password length is usually the main factor for password strength, because short passwords are more susceptible to being cracked. So, applepoetrysaute is stronger than P@ssw0rd1!–and surprisingly easier to remember.
Hurray!
Yeap – with a twist… have multiple passwords – never the same one every where. Figure out a way to use slight variations to make it easy on yourself. Someone I know has been using the same passwords since the 90’s.
Why doesn’t someone send this message to the Board of Realtors who seem to be so worried about MLS passwords…? ~I’d be willing to bet that changing my password every few months has never kept anyone from getting into the system if they wanted to. It is simply a burden for agents, the majority of whom are senior citizens and can’t remember what we had for dinner last night, let alone a new password.
How I wish more IT professionals, and even formal security audits, realized this! PurpleMonkeyDishwasher (example only) is far more secure, and easier for me to remember, than Password1, Qwerty1, Kid’s / Spouse’s / Pet’s name1 (all numerically incremented with each predictably timed and required Password change). These examples are from the standard list of overused passwords that is published every year, yet many people still use these due to business requirements and IT policies, wwhich should no longer be applicable in modern use. Often policies change more slowly than Technology. My hope is that more IT staff members around the… Read more »
Unfortunately, certain websites require you to use lower case, upper case, numbers and symbols, so you have to use what they want, rather than what you can remember. I try to use one long nonsensical password for all my financial accounts and another for sites that are not financial in nature, but this is not acceptable to different websites. As a result, I have to change passwords often as I cannot remember what that particular site requires. Some sites even limit passwords to 12 characters. I don’t like storing all my passwords either to a site or in a manual… Read more »
On many sites, when you say you can’t remember your password, they automatically force you to change it and create a new one. ~Now you have another password that you can’t remember! All I wanted to do was to retrieve the old password, and continue using it. Obviously, I am the only one who “forgot” it, so I should be allowed to continue using it if I choose to. But this blog will have no effect on what other web sites do with their passwords. The message needs to go to the Boards of Realtors in the state, and tell… Read more »
Per my Tech Coach: “this is a relevant topic, but needs to be considered in context. Passwords can’t be too long. A lot of websites only allow passwords to a certain size and criteria i.e. capital letters, numbers, etc. Most haven’t changed to the new criteria yet.
Keeping the format you have for the time being is still your best bet. There are a lot of other things which go into why keeping the format you have now is best.”