They’re still very common. Weak passwords. Many people still use passwords like ‘123456,’ ‘p@ssw0rd’ and ‘asdfjkl;’ to log into secured sites, like bank accounts, credit cards and email. If this is you, please change those passwords immediately.
If that’s not you, and you followed the password tips you’ve heard for more than a decade, you should take another look at those passwords, too. In 2017, the National Institute of Standards and Technology (NIST) issued its first new password guidelines in more than a decade. These common practices are no longer recommended:
Requiring special characters and numbers
Mixing capital and lowercase letters
Changing passwords regularly
NIST believes the new practices will help make your accounts more secure by removing frustrating rules and concentrating on something that counts more: length. These two NIST recommendations will probably affect you the most:
Embrace the Passphrase
Make your passwords longer and stronger, perhaps with a phrase like “MyCowIsHappyToday.” Create a random passphrase at least eight characters long – and don’t make it just a single dictionary word. (NIST says providers should allow up to 64 characters.) The old practice of using numbers and special characters, like #, %, & or $, made passwords complex and hard to remember. But it actually didn’t do much to prevent brute force attacks from software-generated consecutive guesses. The best defense for that is length.
Leave it Alone
If your password is strong enough, the NIST says you shouldn’t worry about changing it often. While changing passwords regularly isn’t a bad thing, the issue is that many users just make minor or incremental changes. They may just capitalize a different letter or increase the number at the end by one. Of course, if you receive official notice that it’s time to change your password, take the opportunity to create a new, stronger passphrase right away.
The NIST also issued recommendations for companies and organizations. For instance, you may find verification questions asking for easy-to-find information, like your mother’s maiden name or pet’s name, could be phased out. If you are prompted to create security questions, consider making up wrong answers because the right answers may be on your social media page or other public places.
Here are a few other personal recommendations:
Be sure to use a strong password to protect your email account. Your email may be the most important account you have. A bad guy with access to your email can likely reset the passwords and take over just about every other account you have, like banks, credit cards, social media, and others.
Use a unique password for each site and account you have. Bad guys can capture your password from one account and try to use it to get into other accounts.
Use a password manager app to help manage passwords, security questions, or other information for your accounts. This will help you keep track of the different user IDs and unique passwords to improve security.
None of these recommendations are earth-shattering, but the new guidelines should mean an easier path to better security by making passwords more user-friendly.