While traditional password security guidelines often emphasize the use of strong passwords and frequent resets, these practices may not be as effective as once thought.

For years, the security industry has recommended some password character length (ranging from six characters in the early days to 15 or more characters in many modern recommendations) and complexity in the password content (numbers, special characters, etc.). Additionally, changing the password every 30, 60, or 90 days has been suggested, depending on the value of the accessible information.

However, these suggestions were always fraught with challenges for those who study the psychology and sociology of security. For example, when users are required to have a long password, it makes it more challenging to remember the password they have selected. The result has often been passwords written on sticky notes, paper under keyboards, or even written and taped to the top of the keyboard in several cases personally witnessed by this author. Requiring regular password changes only adds to the challenge of remembering passwords.

Strong Password Basics: Understanding NIST Guidelines

For this reason, I have recommended that users create passwords using algorithms to make them easier to remember. This was and is a good solution. It works well in systems where you must use a traditional password and where password rules are in place such as those mentioned above.

However, we live in a different world today, and better options are available. NIST (the National Institute of Standards and Technology) has updated its recommendations over the years such that it no longer recommends composition rules, arbitrary password changes, and hidden passwords during entry. They state the following in NIST Special Publication 800-63B (NOTE: Verifiers are the systems that validate the password at creation and during use):

• Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length.
• Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter [Meters], to assist the user in choosing a strong memorized secret. This is particularly important following the rejection of a memorized secret on the above list as it discourages trivial modification of listed (and likely very weak) memorized secrets [Blacklists].
• Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Do not arbitrarily require verifiers to change memorized secrets (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
• Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates users in using password managers, widely adopted tools that often enhance the likelihood of choosing stronger memorized secrets.
• To help claimants successfully enter memorized secrets, verifiers SHOULD offer an option to display the secret — rather than a series of dots or asterisks — until it is entered. This allows claimants to verify their entry if they are in a location where their screen is unlikely to be observed. Verifiers may also permit users’ devices to display individual entered characters for a short time after each character is typed to verify correct entry. This is particularly applicable on mobile devices.

Advantages of Long Passphrases over Complex Passwords

Notice, of particular interest, the requirement of 8 characters but the allowance of up to 64 characters. This fact, in conjunction with the suggestion of not implementing composition rules, leads to the realization that NIST has acknowledged long passwords are better than short complex passwords. For example, thecowandthehorsewenttomarketFriday, is better than Pa$$word1. Now, a good password verifier system will not allow a user to use a password such as Pa$$word1, but it will allow other easily guessed passwords such as Carpenter2022 in many cases. The point is that the allowance of long passwords allows users to select phrases that are easier to remember (possibly based on some odd or interesting life experience) and much harder to guess or crack.

They also reference recommending password meters by your users. Notice the following from www.passwordmonster.com:

The first example above is our strong password. The second example is our weak password. In the second example, adding a “$” symbol only extends the ‘time to crack’ to 5 hours. And just so you know, the Pass$$word1 password has a “time to crack” strength of 0 seconds.

Secure Password Practices Make Strong Passwords

The moral of the story is simple: longer passwords are stronger than short, complex passwords. If the system in use requires a short, complex password, use an algorithm to generate a password that is hard to guess. If the system in use allows a long password, use a phrase that is easy to remember but odd enough that no one would guess it. These make strong passwords.

Take advantage of modern password managers to store all those various passwords in an encrypted system because one thing is still very true about passwords: you should not use the same password in the various systems you use. 

If a hacker compromises one system, your accounts in other systems will also be compromised. This is particularly true in the modern online world, where most websites are accessed with an email and password. One compromised system means that your user ID and password are now known for most other systems; however, using a different password for each site prevents such exposure.

Beyond Strong Passwords: A Proactive Approach to Cybersecurity

“In today’s interconnected digital landscape, traditional password security is no longer sufficient to safeguard your business. Cyber threats are evolving at a rapid pace, demanding a more comprehensive and proactive approach. The AACSP CyberSecure course goes beyond the limitations of passwords, equipping you and your team with the essential knowledge and skills to anticipate, mitigate, and respond effectively to cyber threats.

By investing in CyberSecure, you’re not just protecting your data; you’re empowering your team to become cyber-savvy defenders, ensuring your business’s digital resilience.What makes a strong password?