Password Security: New, Human-Friendly Guidelines

Are you suffering from password fatigue? Conventional rules dictate that we compose unrelated, random jumbles of letters, symbols, numbers and capitalizations and have different ones for dozens of accounts. On top of that, we're told to change them often. Yet, data breaches and malware attacks are reported daily, with Under Armour, Facebook, Panera, MyHeritage and the Sacramento Bee just a few of the companies reporting compromised data in 2018.  

Fortunately, in June 2017, the United States' National Institute of Standards and Technology (NIST) issued a new revision of their digital authentication guidelines, making it a lot easier to create passwords that are both easy to remember and highly secure.  

You can read all about it in NIST Special Publication 800-63B, an 83-page manifesto, but cybersecurity expert Mike Garcia's take on the new guidelines, Easy Ways to Build a Better P@$5w0rd, is a lot shorter and a lot more entertaining.  

In short, NIST recommends that instead of passwords, we use passphrases, which consist of a sequence of words or other text.  

This new approach, known as "memorized secrets," are short, random phrases with no other character requirements. Contrary to popular assumption, these phrases are more difficult to crack than the shorter, complex passwords that we've been using, especially if they're stored on a series of Post-It notes.  

To create a secure passphrase:

  • Make your passphrase at least 8 characters long, or consider making it longer. NIST says that service providers should allow passwords to be up to 64 characters in length. You can put spaces between the words.    

  • There's no need to change it periodically. Keep your passphrase as long as you'd like, if you haven't been notified of a breach or accidentally clicked on a questionable link.   

  • Try using a password manager. Since it's recommended that you don't use the same passphrase for all of your accounts, a password manager will help generate and store multiple ones.    

  • Don't use special characters. No more &s and *s—you don't need them any more since they're hard to remember and don't make the password stronger.   

  • Avoid repetitive or sequential characters. Stay away from patterns such as "1234567" or "yyyyyyyy"

  • Don't use your own name or the name of the service you're using in your passphrase. "John Smith likes gmail," for example.  

Need some help generating a passphrase? Useapassphrase will generate a secure one for you, or will test your own passphrase for security.  

For more news about passphrases or other computer-related topics in areas such as hardware, software, electronics, engineering, communications or the application of technology, check out the library's Computer Database (available with your DPL card). 

Ask Us 24/7/365!

Written by Lisa on September 6, 2018


Courtney on October 4, 2018


Question- how often do you recommend changing passwords?

Courtney on October 4, 2018


Oops- sorry. I see that you actually answered that in the post. nm

Lisa F. on October 4, 2018


I like that part the best!

Leave a comment