Previous NIST Password Guidelines
Back in 2003, Bill Burr, a NIST manager at the time, created guidelines for password complexity. His recommended the inclusion of special characters, numbers, and capital letters in all passwords. As a result, users ended up changing their password from “password” to “P@ssword1!” (yes, it’s that common).
He also recommended that passwords should be changed every 90 days, and “P@ssword1!” turned into “P@assword12!”. Software and websites implemented these recommendations in different ways. You might be able to use the “&” symbol in one place, but not another. Consequently, we ended up so many passwords, password managers have become widely used. Fast forward to 2017 and Bill Burr has admitted to regretting making these recommendations (Wall Street Journal).
Current NIST Password Guidelines
We’re moving away from passwords and replacing them with passphrases. It turns out to be harder to remember G1bb3r!sh (gibberish) as opposed to GibberishNonsenseClearlyBetter. NIST also recommends upping the allowed password length to 64 characters paving the way for using these passphrases. Lastly, NIST has eliminated the policy of changing your password every 90 days and the entire stored hint system.
These new recommendations help eliminate user frustration. Using passphrases makes passwords easier to remember. The strength in this type of password is the length. The example used above, “G1bb3r!sh”, is only 9 characters long. According to this calculator, a 9 character password like this could be cracked by a computer in 4 weeks. In contrast, “GibberishNonsenseClearlyBetter” is 30 characters long and includes no special characters or even numbers. A long passphrase like this dramatically increases the time to crack to an astonishing 2 decillion years (2 followed by 33 zeros).
While the use of passphrases represents a dramatic leap in ease of use, don’t make things easy on hackers. If your kids’ names are John, Paul, George, and Ringo, making your passphrase JohnPaulGeorgeRingo puts your passphrase within easy reach of anyone with the slightest information about you.
Instead, put words together that mean something to you and will be easy to remember. Look around the room you’re in and string together items as you look from left to right. I’ve done the same as I’m writing this, and I end up with DeskBackpackTrashcanTelevision (which is yet again, 30 characters).
Start Using Passphrases Today
Make use of passphrases wherever you can. The only factor that could prevent you from doing so is just character length. The 16-character limit will take some time to disappear completely, but even a 16-character passphrase is more secure than a shorter, complex password.