The National Institutes of Standards & Technology issued new password guidelines in the Summer of 2017 and they're a night and day difference from the previous conventional wisdom. According to Bill Burr, the author of the original password guidelines, he did not have any real data and research to support the recommendations so he just came up with things that would make sense.

So, what's the harm?

This led to passwords that left us vulnerable to cyber attackers because they were hard to remember and type, led to predictable passwords, and generally made us lazy when it came to good password hygiene. Let's take a moment to review what the prior guidelines looked like so we can compare:

  1. Passwords should be at least 8 characters long
  2. They should contain a combination of symbols, numbers, and mixed case
  3. A password should be changed every 60 - 90 days

Seems Logical, no?

The old guidelines seem logical on the surface but they led to folks adding a number or increasing it by one when they were changing passwords. It also led to passwords that were short and hard to type and remember which, coincidentally, made passwords that were easy for computers to guess. This was a perfect storm! It was so bad, that Bill Burr admitted to regreting these guidelines!

Ok, what are these new fancy guidelines?

The new password guidelines are designed for passwords to be simple, easy to remember, easy to type and strong. Take a look:

  1. Passwords should be longer than 8 characters and should incorporate phrases or multiple words - the longer the better (think of a fun phrase or use word association)
  2. Systems should check passwords against databases of compromised passwords
  3. Passwords should only be changed if compromised
  4. Multi-Factor Authentication should be implemented wherever possible
  5. Use a password manager to generate strong, unique passwords for every system and store them securely, be sure to use a password manager that uses Multi-Factor Authentication

How does this simplify things?

The new guidelines do several things for us:

  • Passwords are easier to remember - gone are the days of hieroglyphics in passwords
  • They are more persistent - no more frequent changes causing us to add a one or an exclamation mark to the next passwrd
  • The passwords are supported by multiple forms of authentication, working hand in hand to prove you are who you say you are
  • They are longer making it much more difficult, if not impossible (use 24+ characters) for a computer to guess
  • The password manager will help with storing (and sometimes even entering) passwords since each system/site will have a different one

Take these guidelines to heart then go forth and change your passwords... NOW!