Updated by Emma Stone

Is your Password H@rd T0 R3m3mb3R?

“Your password must contain a mix of lowercase letters, uppercase letters, numbers, special characters, and cannot be the same as any password you’ve used previously”

Does this sound familiar? These requirements are drawn from a guide published by the National Institute of Standards and Technology in 2003. What you have likely haven’t heard is that in September of 2018, NIST announced that, in the face of massive and readily available computer power, they were Wr0ng!$.

The current advice given by the NIST is that password length, not complexity, is the most important factor when creating a secure password. Here are some key takeaways from the new NIST guidelines:

  • Eliminate recurrent password change requirements, unless due to a security breach or user choice.
  • Simplify password complexity requirements (no more special characters, upper or lowercase letter, and number requirements).
  • Mandate screening of new passwords against commonly used or compromised passwords.

The last point is one of the more innovative mandates, as this has never been a policy implemented in password design. When creating new passwords, users will be alerted if their password is a match on the susceptible/compromised list.

Because of these new recommendations, TechNosis is advising all our customers to move away from short, cryptic passwords and start using longer, easy-to-remember passphrases instead.

The key elements of a secure passphrase are:

  • At least 14 characters, but the longer the better.
  • An easy to remember phrase or sentence that is quick to type.
  • Nothing from pop culture or movies.
  • Examples: “my dog eats purple biscuits” “too much rain on thursday”

[Image: xkcd Password Strength]

How did we do?