If you get frustrated creating and keeping track of passwords, here’s good news.  Your task just got simpler. 

Since 2003, the rules for strong passwords had not changed.  Until now.  The National Institute of Standards and Technology (NIST) has created new password guidelines.  What’s surprising is the standards will be easier to follow, not harder.

*N0 MoRe 0f thi$!

The previous standards included requirements like using a combination of numbers, lower- and upper-case letters, and symbols, and having separate passwords for every application.  But, how can anyone keep track of all these passwords?  You either store them in a password manager (which is a risk if it’s hacked), or you write them down (also a no-no). 

Paul Grassi, senior standards and technology adviser at NIST, who led the new revision of guidelines, told NPR  “The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users.”

The update on the password guidelines contained within the NIST Special Publication 800-63B (Digital Entity Guidelines) discusses the increased security risk of highly complex passwords. “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets (passwords).”

Use Real Phrases Instead

Here’s the good news.  The new guidance suggests keeping passwords simple, long and memorable.  In a reversal from the advice to never use dictionary words, the new rules suggest using phrases, lowercase letters and typical English words that you can remember.  Plus, passwords don’t need to expire unless there’s a breach. 

Think of the time you’ll save by not searching around for passwords or having to call tech support to re-set them!

One caveat is to continue to avoid commonly-used passwords like “1234567” or “password”, which frequently turn up in breaches.  (Let’s not make it that easy for hackers.)

For now, we’ll keep meeting the password standards that are required by the login screens of older applications and devices.  But soon, those random, hard-to-remember passwords will be a thing of the past. 


If you’d like to know more about how CRU Solutions can help with your business IT services, including the new password guidelines, contact us.