Everything you know about passwords is wrong
Long established guidance around passwords is that they should be 8 characters, changed regularly and have a mix of characters. New guidance from The National Institute of Standards and Technology (NIST) turns this advice on its head since these guidelines result in passwords are tough for users to remember but easy for criminals to guess.
The new NIST Digital Identity Guidelines include:
- Use a passphrase consisting of lowercase letters and typical English words (e.g. Ihavethreesistersandonedog)
- Passwords don’t expire
- Allow the use of special characters but don’t require them
- Restrict the use of passwords that have previously been breached
The new guidelines increase security since the longer passwords are cryptographically harder to break than the shorter ones, even without special character requirements.
It’s still a good idea to use different passwords for different sites and a password wallet to manage your passwords. Services like HaveIBeenPwned.com and PasswordPing.com track passwords that have previously been breached.
Senior Cloud Security Engineer Data Security and Insider Threat Strategy
6yGreat Info thanks for sharing.
Head of Zerto Sales Strategy, Operations, and Enablement
6yAnd never, ever use passwords cited in security articles, such as "Ihavethreesistersandonedog", because they're quickly loaded into brute-force dictionaries and used to compromise all the folks who go "Haha, that's funny, nobody will use that so I will!" or "I can't think of anything good so I'll use that."
Good input, Chris. It makes sense and the math bears it out. Reminds me of this "easy to remember, but hard to guess" explanation: https://xkcd.com/936/