Coming up with a new password is probably one of the most mundane and annoying things a person has to do in their everyday life. Do you make it something easy to remember? Or do you add in a bunch of symbols for extra security? Most people tend to opt for the easier path and come up with something they’ll remember . . . and then end up writing it down on their phone or a piece of paper. But if you’re one of the people who followed the National Institute of Standards and Technology (NIST) guidelines about including numbers, characters, and capital letters in your password (or were one of the many people whose employers told them to do so), we have some good and bad news for you: those rules are totally useless and don’t actually help. Now, how about you start making your passwords words you’ll actually remember?
Back in 2003, NIST created a guide titled “Special Publication 800-63-3. Appendix A.” on how to come up with the best password. The rules stated that a secure password would use numbers, special characters, and capital letters and be changed regularly. However, the man who came up with these rules, Bill Burr, told the Wall Street Journal on Aug. 7 that it’s all wrong. He based all his information on a paper published in the 1980s — before the internet as we know it existed. The 72-year-old man says he “regrets” his mistake.
If you’re about ready to tear your hair out after realizing how much time you’ve spent agonizing over your password choices, there’s a silver lining. NIST updated the guidelines in June and released a new set of rules in “Special Publication 800-63-3.” NIST now wants sites and companies to forgo requiring people to change their passwords periodically, which makes sense since a study from Carleton University revealed that this is a pretty useless tactic. The organization also wants sites to let users come up with passwords that are 64 characters long (with spaces), so that people can use words they’ll actually remember.
So, go forth and make your passwords words you’ll never forget. Or, better yet, get a password manager like LastPass or 1Password and have it come up with those complicated passwords for you — which you can then access with a master password that fits NIST’s new guidelines.