To those who think Th!$ i$ Th3 b3$t w4y t0 wr!t3 a P@$$w0rd, think again. The National Institute of Standards and Technology (NIST) has recently published new guidelines on password security, revising the old rules and deeming them counterproductive to personal security purposes.
Paul Grassi, NIST Senior Standards and Technology Adviser, said in an interview with NPR, “The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users.”
Previously, the NIST password security guidelines suggested a combination of lower- and uppercase letters, numbers, and special characters to constitute a strong password. The author of said password primer published in 2003, Bill Burr, recently told The Wall Street Journal that he now disagrees with his original recommendation.
The update on the password guidelines contained within NIST Special Publication 800-63B (Digital Entity Guidelines) discusses the increased security risk of highly complex passwords. “Highly complex memorized secrets introduce a new potential vulnerability: they are less likely to be memorable, and it is more likely that they will be written down or stored electronically in an unsafe manner. While these practices are not necessarily vulnerable, statistically some methods of recording such secrets will be. This is an additional motivation not to require excessively long or complex memorized secrets.”
The guidelines no longer propose a mix of letters, numbers, and special characters. Instead, the publication suggests long phrases in English, typed entirely in lowercase letters.
Additionally, previous password security guidelines also indicated a change in password every 90 days, but the new rules seem to revoke this practice, as Engadget reports that NIST is recommending a password change only in the event of a security breach. The new guide also mentions that passwords need not expire for them to continue to maintain security.
MetroStar’s Director of Cybersecurity Clay Calvert analyzed the ratio of passphrases (a string of typical English words written in lowercase) and passwords (a combination of characters, including letters, numbers, and symbols) to compare their strength and determine the best approach to password security.
In the table below, the first column contains the number of words or letters. The second shows the number of possible combinations for 1 through 20 words in a passphrase, while the third shows the same for characters.