Weak passwords are still very common. Many people still use passwords like ‘123456,’ ‘p@ssw0rd’ and ‘asdfjkl;’ to log into secured sites like bank accounts, credit cards and email. If this is you, please change those passwords immediately.  

Even if that’s not you, you may be following the password tips you’ve heard for more than a decade. And that means you should take another look at your passwords based on more recent guidelines.

In 2017, the National Institute of Standards and Technology (NIST) issued its first new password guidelines in more than a decade, updated again in 2020. NIST no longer recommends:

  • Requiring special characters and numbers
  • Mixing capital and lowercase letters
  • Changing passwords regularly

If your company or online accounts use these legacy password requirements, that’s okay – just use them as part of creating longer, stronger passwords.


NIST believes the updated guidelines will help make your accounts more secure by removing frustrating rules and concentrating on something that counts more: length. These two NIST recommendations will probably affect you the most:

Embrace the Passphrase

Make your passwords longer and stronger, perhaps with a phrase like “MyCowIsHappyToday.” Create a random passphrase at least eight characters long – and don’t make it just a single dictionary word.  The old practice of using numbers and special characters, like #, %, & or $, made passwords complex and hard to remember. But it actually didn’t do much to prevent brute force attacks from software-generated consecutive guesses. The best defense for that is length. NIST says longer passwords, no matter the characters used, are stronger – even as long as 64 characters.

If you are required to create a password using the old practices, here are a couple examples of how you could include them in your password: MyCowIsHappy2day! or Thesuncameout2day!

Illustration of password update page rating that says "stronger paraphrase" in bright green letters

Leave it Alone

If your password is strong enough, NIST says you shouldn’t worry about changing it often. While changing passwords regularly isn’t a bad thing, many users just make minor or incremental changes. They may just capitalize a different letter or increase the number at the end by one, making it easy for bad guys to guess the change. Of course, if you receive official notice that it’s time to change your password, take the opportunity to create a new, stronger passphrase right away.

NIST also issued recommendations for answering verification questions. Many verification questions ask for easy-to-find information, like your mother’s maiden name or pet’s name.  If you are prompted to create security questions, make up answers and record those answers since the true answers may be discoverable through social engineering, social media or other public places.

Here are a few other recommendations:

  • Be sure to use a strong password to protect your email account.  A bad guy with access to your email can likely reset your passwords and potentially take over just about every other account you have, like banks, credit cards and social media.
  • Use a unique password for each site and account you have. Bad guys can capture your password from one account and try to use it to get into other accounts.
  • Use a password manager app to help manage passwords, answers to security questions, or other information for your accounts. This will help you keep track of the different user IDs and unique passwords to improve security.
  • Don’t share your log-in credentials with anyone – not even friends and family members. Each time you share your ID and password combination, it potentially weakens your security.

A message from your device provider or password manager that your AT&T online account password appeared in a data leak could mean you used the same credentials on a different online account that experienced a data leak. It does not mean AT&T experienced a data leak. However, once a bad guy has your log-in credentials, any accounts accessible with the same credentials are at risk. If you see a message like this related to your AT&T account, or another account, reset the password through the account management tools and settings.    

Remembering these password guidelines should mean an easier path to better security by making passwords longer, stronger and more user-friendly.