Creating and maintaining strong passwords just got easier

The National Institute of Standards and Technology (NIST) recently released updated password guidelines that might surprise you in that they’ve made the dark art of keeping yourself secure slightly less cumbersome than before.

As you create accounts or update existing ones, you might start seeing these changes reflected in the requirements and guidelines you encounter. Remember, while these guidelines make things easier, it’s still crucial to use unique passwords for each account. And you really should be using a password manager to help keep track of them all.

Here’s what you need to know about the new rules of passwords.

Longer is stronger

While long passwords have always been more secure than short ones, they’re now more important than ever.

Instead of worrying about mixing uppercase and lowercase letters, numbers, and symbols, focus on creating longer passwords. Aim for at least 8 characters, but the longer, the better: NIST says 15 is a good minimum. (Hint: If you use a password manager, long passwords are just as easy to wrangle as short ones.)

The new guidelines recognize that password length is more important for security than complexity. A long, simple phrase can be much harder to crack than a short, complex one.

Retire routine password changes

Unless a particular app or service mandates it, you no longer need to change your passwords every few months—only if there’s a chance one’s been compromised.

Regular password changes often lead to weaker passwords as people tend to make minor, predictable modifications—Betty234 instead of Betty123, for example. It’s more effective to choose and keep a strong password until there’s a reason to change it.

Passphrases are in

Also not totally new advice, but something to consider: using a string of random words or a memorable phrase as your password.

For example…

“NIST-says-to-use-super-long-passwords”

…is both long and reasonably easy to remember.

Passphrases like this can be much more secure than traditional passwords while being easier to recall without writing them down.

Multi-factor authentication Is a must

While not strictly about passwords, using a second form of verification (like a code sent to your phone) is highly recommended for extra security if it’s offered to you.

This adds an additional layer of protection, making it much harder for unauthorized users to access your accounts even if they somehow obtain your password.

Advice for password people

If you’re in charge of setting password policy for your organization, NIST offers the following guidance.

No more tricky rules: Dump the confusing requirements for different types of characters. You can now require simple phrases that are easy for your users to remember but hard for others to guess.

No more security questions: Those “What was your first pet’s name?” questions are too easy for others to guess or find out via social media.

Let users max out their passwords: The updated guidance calls for setting a minimum password length of 15 characters and allowing a maximum length of 64.

Check out the full range of NIST’s guidance here.