What's a Good Password? Security Best Practices for Creating Smarter, Stronger, and Less Annoying Passwords

In the world of cybersecurity, the humble password is both a front-line defense and a major headache. Crafted to protect, they often serve as cryptic reminders of our collective lack of patience with complex security rules. Whether you’re reusing “password123!” across accounts or bravely attempting “Th1s1sMyP@ssw0rd”, passwords are rarely what they should be—strong, memorable, and user-friendly. Here’s a look at why passwords have traditionally failed us and how updated guidelines from the National Institute of Standards and Technology (NIST) aim to change the game by emphasizing the need to create a strong password.

Understanding Password Security Risks

In today’s digital age, the risks associated with weak passwords are more significant than ever. With the proliferation of online accounts and the sensitive information they hold, a weak password can be a gateway for cybercriminals to access your personal and financial data. Weak passwords, such as “123456” or “password,” are easily guessed or cracked, leaving your information vulnerable to attacks. It’s essential to understand that a weak password is like leaving your front door unlocked—inviting trouble. Strengthening your passwords is the first step in safeguarding your digital life.

The Password Policy of Old: A Legacy We Need to Let Go Of

In 2003, Bill Burr, a manager at NIST, was tasked with writing a set of password best practices. He published an eight-page document, “NIST Special Publication 800-63, Appendix A,” which became the foundation for a generation of password policies. His advice was well-intentioned but, in hindsight, introduced unforeseen vulnerabilities.

• Include at least one special character

• Use a mix of uppercase and lowercase letters

• Add numbers

• Make it at least eight characters long

• Reset every 30-90 days

These recommendations, while secure in theory, had unintended side effects. Password policies became convoluted and challenging to remember, prompting people to resort to obvious tricks—like simply adding “1” to an existing password after each mandatory reset. The result? Passwords didn’t get any safer; they just got more frustrating.

How the “Stronger” Passwords of Yesteryear Are Actually Pretty Weak Passwords

Let’s be honest: password strength is less about how “complex” it appears and more about how challenging it is for an attacker to guess or brute-force it. Sure, the password “ksiYnd23(dj#aiR$!” seems complex, but it may not be much harder to crack than something simpler if it follows predictable patterns (like just adding '1' to new versions of the same password).

A 2017 analysis by Statista found that 78% of passwords were between three and ten characters long. And about a third of those were eight characters—a length many of us thought was secure. Attackers can now use advanced tools like Markov chains and machine learning to crack complex passwords, reducing the time needed to break them from days to mere minutes.

The Power of Length: Why a Longer Password Really Is Better

One of the most notable changes in the new NIST password guidelines is an emphasis on length over complexity. NIST now recommends:

• Passwords of at least 64 characters, supporting even longer phrases

• Allowing spaces, making it easier to create “passphrases” instead of arbitrary character strings

• Removing the requirement for special characters

By emphasizing length and encouraging users to create memorable phrases, the new guidelines aim to make passwords both stronger and easier to recall. After all, a 50-character passphrase like “My lovely potted cactus likes sunlight” is far more secure than the cryptic (and easily forgettable) “@B7$k!3p”.

NIST’s Modern Password Best Practices: A Guide to Sanity and Security

NIST’s updated guidelines, found in Section 10 of their most recent publication, focus on streamlining the password creation process for users while maintaining strong security:

• Avoid forcing complexity: No mandatory special characters, uppercase letters, or numbers.

• Support passphrases: Allow for long passwords and encourage users to aim for 64 characters or more.

• Enable password visibility: Let users “show” their password as they type (at least temporarily), reducing errors during setup.

• Permit copy-paste: Allow users to paste passwords into fields, which is especially useful for password managers.

• Provide clear error messaging: Don’t just say “password rejected”; explain why—e.g., if the password has been previously compromised or is on a blacklist.

• No more regular resets: Only change passwords if they’re compromised, not on arbitrary schedules.

These changes signal a more user-friendly approach, reducing the chance of password fatigue and errors that compromise security. Emphasizing the importance of strong passwords in safeguarding digital assets, these guidelines help users create secure and memorable passwords without unnecessary complexity.

Restricting Predictable and Compromised Passwords to Ensure Unique Passwords

NIST also advises against allowing commonly used, predictable, or compromised passwords. If a password has appeared in a previous data breach, it should be rejected outright. This includes common words, usernames, and passwords like “password123” or “qwerty.” By eliminating predictability, NIST aims to make passwords more unique to each individual, further boosting security.

Common Password Attacks

Hackers use a range of techniques to break passwords and gain unauthorized access to accounts. Here are some of the most common methods:

• Brute Force Attacks: This method involves using software to try every possible combination of characters until the correct password is found. While time-consuming, it’s effective against short or simple passwords.

• Dictionary Attacks: Hackers use lists of commonly used words and phrases, including variations and common substitutions, to guess passwords. This method is particularly effective against passwords that use real words or predictable patterns.

• Phishing Attacks: In these attacks, hackers pose as legitimate websites or services to trick you into revealing your password. They often use emails or fake websites that look authentic to capture your login details.

• Credential Stuffing: This technique involves using stolen passwords from one account to try and gain access to other accounts. If you reuse the same password across multiple sites, a breach on one site can compromise all your accounts.

Two-Factor Authentication (2FA): The Sidekick to a Strong Password

While passwords alone offer some security, they’re often not enough. NIST strongly encourages two-factor authentication (2FA), which pairs a password with a secondary form of identification—like a text message code, email verification, or an authentication app. Adding 2FA to your security approach is one of the most effective ways to safeguard against unauthorized access, as it creates an additional barrier for attackers.

The Role of a Password Manager and Generators: Friend or Foe?

Password managers can be immensely helpful by storing and generating strong, unique passwords for every account. While they introduce a “single point of failure”—if compromised, all stored passwords are vulnerable—they remain one of the best ways to handle multiple accounts securely. Password generators can also be useful, though it’s wise to avoid relying on online generators that might record your password.

When using a password manager, focus on choosing a reputable, well-reviewed option, preferably one that supports zero trust (meaning the password manager software provided doesn't have access to your passwords, just the encrypted data). Also, while generating a password, never enter your actual password into an online checker to avoid potential security risks.

Designing Password Policies to Drive Business, Not Frustration

A password policy should help users work efficiently, not serve as an arbitrary hoop to jump through. NIST’s updated guidelines recognize this, balancing security with usability. This approach can benefit businesses by reducing user frustration, strengthening security, and supporting smooth operations.

Incorporating NIST’s recommendations into your organization’s password policy can lead to a security approach that is both robust and less disruptive to workflows. After all, a good security policy should work with people, not against them.

Best Practices for Online Security - All the Recommendations in One Spot

To defend against these common password attacks, it’s crucial to follow best practices for online security:

• Use Strong and Unique Passwords: Ensure each of your online accounts has a strong, unique password. Avoid using easily guessable information like your name or birth date.

• Avoid Weak Passwords: Steer clear of weak passwords that can be easily guessed or cracked. Instead, opt for complex passwords that combine letters, numbers, and symbols.

• Consider a Password Manager: It can create and securely store complex passwords, so you don’t have to remember each one yourself. This tool can also help you avoid using the same password for multiple accounts.

• Enable Multifactor Authentication: Adding an extra layer of security, such as a text message code or authentication app, can significantly enhance your account protection.

• Regularly Change Your Passwords: While NIST no longer recommends frequent password changes, it’s still wise to update your passwords periodically, especially if you suspect a breach.

• Use a Password Vault: Securely store all your passwords in a password vault, ensuring they are protected and easily accessible when needed.

• Avoid Reusing Passwords: Using the same password across multiple accounts increases your risk. Ensure each password is unique to prevent a breach on one site from compromising others.

• Use a Strong Password Generator: Tools like strong password generators can create complex and unique passwords, enhancing your security.

• Keep Your Passwords Confidential: Never share your passwords with anyone and be cautious about where you enter them.

By implementing these best practices, you can significantly reduce the risk of your online accounts being compromised. Remember, a strong and unique password is your first line of defense against cyber attacks, so take the time to create secure passwords for each of your accounts.

Conclusion: Embracing the New Era of Passwords

The digital landscape is evolving, and our approach to passwords must follow suit. The days of short, complex, and frequently changing passwords are behind us. NIST’s new guidelines emphasize practicality, encouraging longer passphrases over arbitrary complexity, allowing for enhanced security and a smoother user experience. By focusing on usability and security, these new practices offer a modern approach to keeping your digital life secure without sacrificing sanity.

So, the next time you’re tempted to use “Password1!”, think again. Embrace a longer, easier-to-remember passphrase and pair it with 2FA for a security approach that’s both practical and strong. In the end, a little password effort, for a longer password, goes a long way.