Whatever They Said About Password Creation Is You Know What

Only the far and few between have not had to construct usernames and passwords for various websites and accounts that meet certain criteria before they can proceed to do business or whatever. Typical mandates include passwords that are at least eight characters in length, must have at least one number, one or more special characters, a plethora of upper and lower case letters, and on and so forth, and the most annoying advice, change your passwords on a regular basis.


Choosing a password involves many considerations.

Bill Burr in 2003, a then-mid-level National Institute of Standards and Technology (NIST) manager, was assigned the task of setting rules for effective passwords. He relied on a whitepaper written in the 1980s to make up the rules NIST published, which ironically became the guidelines for institutions, companies, and, you guessed it, we the people of the web.


Having realized the error of its ways, NIST is revising its rules. Addressing that aforementioned tedious task, it is recommending a password change only when a security breach occurs. The organization also claims minor password changes are useless, for example, changing TartSchniffer349 to TartSchniffer348 won’t thwart squat.


Also getting the axe is the recommendation of using a mix of special characters, upper and lower case letters, and numbers. NIST finds these arbitrary restrictions enable less secure passwords while making usability complex tedium at best.


Even with looser guidelines, common passwords that are easy to remember are not a good idea.

Of course this does not mean everyone should go back to using 1234 and other common, easy to remember, and easy to hack, configurations and permutations. Essentially, you should read the new guidelines if you are paranoid, then follow or ignore them as you see fit. Works for me. ~MD