Passwords are a key first step to protecting any online account. Unfortunately, it’s sometimes difficult to know what the best password security practices are, especially when commonly-held wisdom on the topic has not prevented the frequent slew of breaches plaguing some of the most popular internet sites.
Online users have been hearing for years that one of the best ways to improve password security is to create complicated combinations of letters, cases and numbers. Another regular tip is to change your password periodically throughout the year.
But as it turns out, some of that commonly held wisdom is being challenged among security professionals.
The National Institute of Standards and Technology (NIST) is a federal agency that has for years set the standard of best password security. Their recommendations set requirements for federal agencies, and are responsible for security measures taken by many prominent companies. The organization’s latest guidelines, which first emerged last year, upend much of what we’ve been hearing for decades about the best way to keep accounts secure.
With their latest guidance — and your online protection in mind — we’ve compiled a brief guide to increasing your password security.
Never Repeat Passwords
This one in particular has been a long-held tenet of password security. In fact, you’ll see most of our security guidelines begin with the suggestion to create a unique password that’s never been used before and will never be used again. This is recommended to best protect various accounts against hacking attempts. If you repeat login credentials, hackers who obtain information about one of your logins can easily compromise others. NIST specifically points out to not use any password credentials that have been involved in a previous breach for the same reason.
[Check out our top Password Managers.]
Complex Isn’t Always Better
Here is where new guidelines depart from traditional practices. Many companies require employees to use a complex, combination of cases, letters and symbols and to change that password frequently. Yes, these complex combinations are difficult on the memory, but that means they’re difficult to crack too, right? Unfortunately, that isn’t always the case, as these passwords pose challenges for human memory but not all that much obstacle for computers attempting to breach. NIST recommends reducing complexity requirements and instead increasing password length.
NIST refers to passwords as a “memorized secret,” suggesting you choose something that you can easily remember but that nobody else would know. This still keeps the password away from commonly used combinations, but makes it easier on human memory. The organization recommends character length between 8 and 64.
NIST recommends allowing spaces so longer passwords can be a phrase rather than single world. (The organization points out that increased password length can be helpful for security under certain circumstances, but does not prevent against phishing, keystroke logging or social engineering attacks.)
NIST also found that randomly-generated and assigned passwords had stronger security performance than user-generated passwords. So it’s a good idea to use a password manager that can generate a long password for you.
Avoid Dictionary Words
NIST recommends potential passwords be checked against a database (“black list”) of vulnerable passwords. The organization does not lay out all elements that could be included in this secure list, but suggests a few potential options, including previously breached passwords, common dictionary words, and other likely-to-be-chosen options like the name of a site for which the user is making an account.
Users should also take pains to avoid referencing the context of the login — the site, the purpose of the site, etc — when constructing a password.
Avoid Sequential/Repeated Letters And Numbers
Another potential option NIST recommends for the black list is sequential or repeated letter and number use. This means you’d want to avoid a password that looks something like “BBB333” or “789abc.”
The latest password guidelines appear to make the life of the average internet user easier. It’s not necessary to have extraordinarily complex passwords for each of your sites. However, it is highly recommended that you use a unique, distinct and still strong password for each account. If you want to follow NIST’s lead with your personal password use, try long codes that avoid common dictionary words, contain information only you would know, avoid any previously breached options, and don’t repeat or sequence letters and numbers. And remember: this can all be done quickly and easily with a password manager.