Like you, we always thought the best passwords used irregular capitalization, special characters and at least one number.
Something like S@fe7y.
Turns out the author of that advice, Bill Burr, admitted in a Wall Street Journal interview that those password security tips leave us even more vulnerable to hackers. Burr authored an 8-page document back in 2003 when he worked at the National Institute of Standards and Technology (NIST) that included all of those aforementioned recs, plus changing your password every three months.
So what’s the problem, exactly? The issue is “that most people tend to use the same exact techniques when crafting these digital combo locks,” according to this story in The Verge. “That results in strings of characters and numbers that hackers could easily predict and algorithms that specifically target those weaknesses.”
So, you might be asking, what are the new best practices on how to create a strong password?
Here they are, according to the new NIST standards, published in June 2017.
- Passwords should be at least 8 characters in length. Longer is better.
- Passphrases work well. Again, the longer the better.
- Lowercase letters and typical English words are OK.
- Random is better — skip the lyrics from a song or text from your favorite book.
- There’s no need to use special characters and both lower and uppercase letters.
Still feeling a bit lost as to where to start on how to create a strong password? Don’t worry, we were a bit overwhelmed as well.
Consider using the Diceware method to come up with your passphrase. This Intercept story explains it well. Essentially you use actual dice, roll them and write down the numbers you get to generate true randomness. Then you use the numbers to look up words in the Diceware word list.
In the end, your passphrase will resemble something like:
Alden waive stance lice quip myron kombu
Notice you don’t see any of the most commonly used words (which, to be clear, we don’t recommend using), published by CBT Nuggets, who looked at 50,000 email/password combos to come up with this list:
Time to break out your dice and get rolling.
Are You Protected From Identity Theft?