New guidelines for creating strong passwords

New guidelines for creating strong passwords

The US National Institute of Standards and Technology (NIST) has issued new guidelines for password security that turn accepted wisdom about creating long strings of letters, numbers and symbols on its head.


NIST, a non-regulatory federal agency within the US Department of Commerce, issued the original advice in 2003 that became the global standard for password security. But it now says the advice led people to create predictably ‘complex’ passwords in a bid to remember them, which made them more vulnerable to hackers.

A former employee who has since retired said there just wasn’t enough real-word data available at the time.

Key changes in NIST’s new digital identity guidelines include:

  • Don’t arbitrarily mix letters, numbers and symbols to make a password. Instead, create passwords that are more memorable.
  • Single dictionary words, the user’s street address or numeric sequences such as 1234567 should be banned.
  • Organisations should screen the strength of their passwords against those used in cybercriminal dictionary attacks; a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.
  • Stop frequently changing passwords, for example each month, as it leads to poor passwords being created.

What’s new ?

What are the major differences between current received wisdom about “secure passwords” and what NIST is now recommending?

Some of the recommendations you can probably guess; others may surprise you.

We’ll start with the things you should do.

  • Favour the user. To begin with, make your password policies user friendly and put the burden on the verifier when possible. In other words, we need to stop asking users to do things that aren’t actually improving security. Much research has gone into the efficacy of many of our so-called “best practices” and it turns out they don’t help enough to be worth the pain they cause.
  • Size matters. At least it does when it comes to passwords. NIST’s new guidelines say you need a minimum of 8 characters. (That’s not a maximum minimum – you can increase the minimum password length for more sensitive accounts.) Better yet, NIST says you should allow a maximum length of at least 64, so no more “Sorry, your password can’t be longer than 16 characters.”
  • Check new passwords against a dictionary of known-bad choices. You don’t want to let people use ChangeMe, thisisapassword, GoCowboys, and so on. More research needs to be done into how to choose and use your “banned list,” but Jim Fenton thinks that 100,000 entries is a good starting point.

The don’ts

Now for all the things you shouldn’t do.

  • No composition rules. What this means is, no more rules that force you to use particular characters or combinations, like those daunting conditions on some password reset pages that say, “Your password must contain one lowercase letter, one uppercase letter, one number, four symbols but not &%#@_, and the surname of at least one astronaut.” Let people choose freely, and encourage longer phrases instead of hard-to-remember passwords or illusory complexity such as pA55w+rd.
  • No password hints. None. If I wanted people have a better chance at guessing my password, I’d write it on a note attached to my screen. People set password hints like rhymes with assword when you allow hints.
  • Knowledge-based authentication (KBA) is out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school? What’s your favourite football team? – and tell us the answer in case we ever need to check that it’s you.”
  • No more expiration without reason. This is my favourite piece of advice: If we want users to comply and choose long, hard-to-guess passwords, we shouldn’t make them change those passwords unnecessarily. The only time passwords should be reset is when they are forgotten, if they have been phished, or if you think (or know) that your password database has been stolen and could therefore be subjected to an offline brute-force attack.

61 thoughts on “New guidelines for creating strong passwords

  1. JIEeDZ6TnlGO - April 3, 2018 at 4:27 pm

    136982 77946Youve really written a very good quality article here. Thank you very much 508409

  2. Pingback: Homepage

  3. Lamborghini Hoverboard - April 8, 2018 at 8:23 am

    741834 936810I found your weblog internet site on google and check a couple of of your early posts. Proceed to sustain up the quite excellent operate. I just extra up your RSS feed to my MSN News Reader. Seeking for ahead to reading extra from you later on! 789560

  4. International Courier - April 11, 2018 at 8:21 am

    103427 258257Wonderful post man, keep the nice function, just shared this with the friendz 908451

  5. forex trading - April 18, 2018 at 6:54 pm

    478239 577212I believe this web site contains some extremely excellent info for everybody : D. 356702

  6. Rolex Replica Watches - April 19, 2018 at 10:12 am

    473918 414800When I saw this page was like wow. Thanks for putting your effort in publishing this write-up. 512844

  7. iq coehuman *_* - April 22, 2018 at 11:32 am

    713090 319285Having read this I thought it was quite informative. I appreciate you taking the time and effort to put this post together. I once once again find myself spending method to significantly time both reading and commenting. But so what, it was nonetheless worth it! 40138

  8. dryer vent cleaning suffern ny - April 23, 2018 at 2:09 am

    736628 451688The truth is and see if the Hcg diet protocol and as a consequence HCG Drops definitely are a in fact quick approach to be able to shed pounds; even though the healthy diet has a strong will most likely moreover sizable focus to undertake positive. hcg diet drops 240298

  9. Silovao kozu - April 23, 2018 at 6:43 am

    483470 288641Thank you for the sensible critique. Me and my neighbor were just preparing to do some research about this. We got a grab a book from our local library but I think I learned much more from this post. Im extremely glad to see such fantastic info being shared freely out there. 454996

  10. Kitchen Logistics - April 23, 2018 at 8:28 am

    591328 679923The vacation delivers on offer are : believed a selection of some of the most selected and in addition budget-friendly global. Any of these lodgings tend to be really used along units may possibly accented by means of pretty shoreline supplying crystal-clear turbulent waters, concurrent with the Ocean. hotels packages 653615

  11. http://colarts.uodiyala.edu.iq - April 26, 2018 at 3:48 pm

    501103 126228Excellently written write-up, doubts all bloggers offered the same content because you, the internet is a greater location. Please keep it up! 233946

  12. Toyota Tan Cang - May 3, 2018 at 12:19 pm

    922421 455255Just a smiling visitor here to share the adore (:, btw outstanding style . “Audacity, more audacity and always audacity.” by Georges Jacques Danton. 721933

  13. water damage contractors fort myers - May 7, 2018 at 6:19 am

    916503 215400Thank you for your wonderful post! It has long been quite insightful. I hope that you will continue sharing your wisdom with us. 500578

  14. 708665 253981It is a shame you dont have a donate button! Id most undoubtedly donate to this outstanding internet website! I suppose inside the meantime ill be happy with bookmarking and putting your Rss feed to my Google account. I appear forward to fresh updates and will share this weblog with my Facebook group: ) 763019

  15. java - May 12, 2018 at 7:01 pm

    928347 562773Hey, you used to write superb, but the last couple of posts have been kinda boringK I miss your super writings. Past couple of posts are just a bit out of track! come on! 337080

  16. celtic button - May 13, 2018 at 8:28 am

    453 415313Thank you for your really very good data and respond to you. I need to verify with you here. Which isnt 1 thing I often do! I get pleasure from reading a publish that can make people believe. Additionally, thanks for allowing me to remark! 165888

  17. scribd price plan - May 13, 2018 at 9:59 am

    31405 562921 Spot on with this write-up, I truly believe this internet site needs significantly more consideration. Ill probably be once again to read significantly more, thanks for that information. 900885

  18. best black barbershops in birmingham al - May 16, 2018 at 11:42 am

    464524 474131Ill right away grasp your rss feed as I cant in locating your email subscription hyperlink or e-newsletter service. Do youve any? Please let me comprehend so that I might subscribe. Thanks. 741873

  19. local groomers - May 16, 2018 at 8:41 pm

    854244 735192I feel 1 of your advertisements triggered my internet browser to resize, you may want to put that on your blacklist. 120904

  20. iPhone ricondizionati - May 17, 2018 at 11:53 pm

    74807 335524Basically a smiling visitor here to share the adore (:, btw great style and design . 819703

  21. intestinal permeability assay development - May 18, 2018 at 11:46 am

    42760 605371Hi my loved one! I want to say that this article is incredible, excellent written and include almost all vital infos. I would like to peer a lot more posts like this . 263790

  22. Cheap hoverboard - May 19, 2018 at 8:18 am

    353369 475681Not long noticed concerning your internet website and are nonetheless already reading along. I assumed ill leave my initial comment. i do not verify what saying except that Ive enjoyed reading. Good weblog. ill be bookmarking maintain visiting this internet website truly normally. 645351

  23. hoverboard for sale - May 21, 2018 at 8:19 am

    849951 320149Hosting a blog composing facility (in a broad sense) requires unlimited space. So I suggest you to discover such internet hosting (internet space provider) that offer flexibility inside your internet space. 656984

  24. Predrag Timotic - May 22, 2018 at 1:01 am

    59412 895539You produced some decent points there. I looked on-line for any issue and identified most individuals will go in conjunction with with your web site. 469380

  25. hoverboard for sale - May 23, 2018 at 8:29 am

    616716 876085 warning Dont any of you individuals ever take me to CiCis pizza! There food looks offensive!|Urban_Elegance| 547695

  26. Predrag Timotic - May 23, 2018 at 7:31 pm

    883499 823876Yay google is my world beater assisted me to uncover this wonderful internet web site ! . 756251

  27. Kozojeb - May 29, 2018 at 12:03 am

    71947 58431Some really nice stuff on this internet site , I enjoy it. 742715

  28. Elizabeth Bay Locksmith - May 30, 2018 at 9:16 pm

    54551 207836I actually thankful to find this site on bing, just what I was seeking for : D too bookmarked . 749399

  29. Elizabeth Bay Locksmith - May 30, 2018 at 9:17 pm

    892200 914379Thank you pertaining to giving this superb content on your web-site. I discovered it on google. I could check back once again in the event you publish extra aricles. 392264

  30. do my online class - May 31, 2018 at 4:00 am

    17620 292151I conceive this website contains some rattling superb information for every person : D. 269051

  31. How to trade using robot trading - June 1, 2018 at 8:21 am

    584097 174287Hello DropshipDragon provides dropping for quality, affordable products direct from China to your customers. Perfect for eBay sellers and website owners alike! 203893

  32. hornyco57 - June 1, 2018 at 11:41 pm

    Are you sick and tired of being bored? You’ll never have a dull moment if you visit http://camgirl.pw It’s by far the most exciting site on the internet. There, you’ll be able to talk to all kinds of hot babes. Don’t be surprised if everyone at work asks why you’re so happy. You don’t need to tell them that you visit this site each and every day. It’ll be your little secret.

  33. Pingback: 4sf8399dedf47934722b63.com click to read more

  34. audiobook reviews - June 4, 2018 at 3:02 am

    911611 369598I really got into this write-up. I discovered it to be interesting and loaded with unique points of interest. I like to read material that makes me believe. Thank you for writing this wonderful content. 116609

  35. Pingback: notehub.org link to details

  36. Pingback: notehub.org i'll provide a link

  37. Julio - June 5, 2018 at 5:25 am

    Heya i’m for the first time here. I came across this board and I in finding It really helpful & it
    helped me out much. I am hoping to offer something back and aid others like you helped me.

  38. Pingback: notehub.org

  39. Pingback: notehub.org continued here s36l

  40. Pingback: notehub.org click the following article iJpNY

  41. Pingback: notehub.org

  42. Pingback: link to the page

  43. Pingback: read article

  44. Pingback: notehub.org more on the page

  45. Pingback: more info

  46. Pingback: notehub.org

  47. Pingback: notehub.org

  48. Pingback: notehub.org link to the page

  49. Pingback: notehub.org read an article pwUC0

  50. Pingback: notehub.org follow the link Eh6W4

  51. Pingback: notehub.org continue reading 2gcNVd

  52. Johnk787 - June 13, 2018 at 11:48 am

    Heya im for the first time the following. I discovered this specific table as a consequence I to discover The item faithfully of use &amp the idea rallied round myself publicized lots. I am hoping to deliver a little back again furthermore foster further like so bdgededgddde

  53. chouqin - June 13, 2018 at 7:36 pm

    There are some interesting time limits in this article however I don抰 know if I see all of them heart to heart. There’s some validity however I will take maintain opinion until I look into it further. Good article , thanks and we wish extra! Added to FeedBurner as properly

  54. Randi - June 14, 2018 at 4:20 pm

    I got this web page from my buddy who told me regarding this website and
    at the moment this time I am visiting this site
    and reading very informative articles here.

  55. Marian - June 17, 2018 at 4:48 pm

    Excellent post. Keep posting such kind of information on your site.

    Im really impressed by it.
    Hello there, You have performed an incredible job. I will definitely digg
    it and in my opinion recommend to my friends. I am confident
    they will be benefited from this site.

  56. Evelyn - June 17, 2018 at 5:24 pm

    I’m curious to find out what blog system you have been using?

    I’m experiencing some small security problems with my latest website and
    I’d like to find something more safe. Do you have
    any suggestions?


Leave a Reply