Despite being released about six months ago, few have heard about or implemented the new NIST Guidelines for passwords. After years of forcing users to change passwords on a schedule and using algorithmic complexity (one upper case, one lower case, one number, one special character), the results are in - this all makes user passwords less secure because of human nature and memory capacity. Numerous studies have shown that enforcing password complexity through character restrictions results in poor quality passwords.

Sure, humans can remember a complex string of characters if we use it frequently enough but when you add in the requirement that the password must change every 90 days, most folks struggle. Inevitably, this leads to passwords with incrementing numbers at the end (Password!01 to Password!02), this especially holds true in corporate environments. The new NIST protocol should have employees jumping for joy to end the constant password rotation.

Aside from removing the two older requirements mentioned above, the new requirement (because there is always a new requirement) states that best password practice is to compare new passwords to a list of dictionary passwords and known compromised passwords. This is not to say that you cannot have a password using dictionary words, but a password cannot consist of just a single dictionary word.

To achieve high password entropy, users can make easy to remember passwords with more characters like, “appletreepinecone.” At seventeen characters, “appletreepinecone” has an entropy of 62.8 bits, it is much harder to crack than if you used the previous password requirements on something like, “P!n3C0n3”, which is only 8 characters with an entropy of 34.3 bits. Lastly, whatever password you choose should not be something related to you, e.g. your birthday or name.

On a final note, no blog post should be written about passwords without speaking on two factor authentication (2FA). Using a secondary method, a mobile phone app like Google Authenticator or receiving text messages with one-time pins (OTP), should always be enabled if possible. This prevents attackers that have managed to steal your password from accessing your accounts and gives you time to change the password before your account is compromised.