Uncle Sam has just issued new guidelines for computer passwords – and, chances are, you and your employer are doing it all wrong.
NIST – the National Institute of Standards & Technology – is nixing special characters, short passwords and frequent password changes.
The problem with special characters is that they’re hard to remember but not that difficult for a hacker to guess (especially if, instead of using “Password” as your password, you simply add common characters like “Password2!”) Also, the more unusual characters you use, the more likely it is that you’ll write down your password someplace…where it could be stolen.
As for the length of passwords, NIST wants administrators to allow passwords to be 64 characters or more. How are you supposed to remember a long password? One method many people use is to select the first letters of each word in a phrase or quotation.
NIST also tells administrators not to make employees change their passwords unless there is some evidence of hacking attempts or breaches. Their efforts should instead focus on blocking the use of passwords that are commonly used or that have been exposed by previous incidents…and on instituting a waiting period after a couple of incorrect attempts to log in.
Like bureaucratic language? Here's a link to the new report.