Why all the secure password advice you’ve heard is probably wrong

No primary category set

From memory I think I’ve only changed a password on a marketplace account once and PayPal never and apparently that’s a good thing. The latest advice on password rules from the US National Institute of Standards and Technlogy (NIST) is that forcing users to change their passwords and setting arbitrary rules is a bad thing.

The original password advice was drawn up by a guy called Bill Burr for NIST and he freely admits in a recent Wall Street Journal interview that he was no security expert and got it wrong. Passwords with capital letters, numbers and other keyboard characters merely makes them harder for humans to remember but do nothing for computers. Hackers even know to try guesses replacing “E” with “3” and “a” with “@” or “o” with “0” and code it into their nefarious tools.

Worse still are the companies who force you to change your password every 30 or 90 days as the deluge of new passwords merely mean that many users make minor changes such as “nameofmydog001” to “nameofmydog002”. Any hacking dictionary can crack the new passwords just as easily as the old one in seconds. Forcing password changes (unless they’re forgotten or there has been a data breach) just makes the user more likely than ever to pick one that’s insecure and more likely to be cracked.

The problem is that the advice we’ve been accustomed to accepting as gospel for years merely made passwords harder for humans to remember and easier for computers to crack – the exact opposite of the original goal.

NIST’s new advice is to make things easier for the user but recommends a minimum of 8 characters (more for passwords for secure applications) but importantly not to set any maximum length. All ASCII characters should be valid including spaces, UNICODE characters and even emojis.

Longer ‘Pass phrases’ are to be encouraged as more secure and easier for humans to remember, so spaces and punctuation are vital.

The bad things to avoid when setting a password policy is to have rules on the composition of passwords. Forget the “Your password must contain at least one upper case letter, one digit and one special character chosen from ~`!@#$%^&*()-_+={}[]|;:”<>,./?”. That’s just going to force people to reuse a password from elsewhere so that they have a chance of memorising it.

Password hints and knowledge based password recovery questions are also bad, forget telling me where you went to school or what the name of your first pet was. More importantly NIST say never force passwords to expire unless there’s good reason to (hack or forgetfulness!).

Naturally all passwords should be encrypted with hashing and salting so that if the password database is every compromised no one can crack the passwords and it would take decades or hundreds of years to do so with technology available today.

One Response

  1. Glad to see they included spaces but the one I really want to see is backspace, that is, you type…

    AbCdEfG – then backspace twice – AbCdE – then add 2W – AbCdE2W

    .. and so on.

    I get that backspace is not ‘normal’ but it is Unicode (U+0008).

    Disclaimer: I have no idea if this is technically possible as passwords are usually only sent from the browser once the password is complete and you hit ‘Enter’.


Temu MASA Certification for User Security and Privacy

Temu MASA Certification for User Security and Privacy

TikTok European User Data Security update

TikTok European User Data Security update

Hack4Values Pro Bono bug hunters for NGOs & nonprofits

Hack4Values Pro Bono bug hunters for NGOs & nonprofits

TikTok Project Clover to safeguard UK EEA User Data

TikTok Project Clover to safeguard UK EEA User Data


Amazon Secure Delivery (One-Time Password)

ChannelX Guide...

Featured in this article from the ChannelX Guide – companies that can help you grow and manage your business.


Take a look through a selection of the latest articles on ChannelX

Register for Newsletter

Receive 5 newsletters per week

Gain access to all research

Be notified of upcoming events and webinars