We’re Thinking About Passwords All Wrong: Eight New Guidelines for Creating a Secure And Memorable Password

Somehow, it's true that everyone’s password is impossible to remember, and yet everyone’s password is also getting hacked. Here's why.

September 05, 2017 by Alex Collins


We live in a world of swirling contradiction. Somehow, it is true that a) everyone’s password is impossible to remember, and yet b) everyone’s password is also getting hacked. As a result, everyone hates setting and resetting and forgetting and losing and changing their passwords! Even, it turns out, the guy who invented doing it.

Bill Burr, of the National Institute of Standards and Technology (NIST), is the guy behind conventional password wisdom and all of its special-character-and-at-least-one-number infamy. Recently, he said what we were all thinking he should say: I was wrong, and I’m sorry.

The reasons for his mea culpa are obvious:

  • People, generally, use the same password, or a reasonable facsimile of the same password, for every website log-in they have

  • People are bad at remembering these almost-identical passwords

  • Hackers are good at hacking these almost-identical passwords

Thus, the NIST has released new guidelines on password creation. Here’s a quick and easy guide to what’s in, and what’s out, and what everyone thinks about it.

OUT: Lower and uppercase letters

Typically, when you reset your password, you’re only changing one character anyway—a lowercase letter to an uppercase one, an exclamation point to a question mark, et cetera. The reasoning is sensible. But in practice, it changes nothing. Hackers are sophisticated enough to figure this out pretty quickly.

IN: Lowercase letters that form a plain-English word or phrase

Here’s what NIST technology adviser Paul Grassi told NPR: If you can picture it in your head, and no one else can, that’s a good password. This fun cartoon distills the theory perfectly. The trick is to invert the old ratio.

Passwords, generally, are difficult for you to remember, but easy for hackers to guess. That’s untenable. To reverse it, stop using jumbled esoteric gibberish as your gateway to the digital world. Start using everyday words in an order that forms a memory only you can relate to.

OUT: Special characters

Again, the reasoning is sound. Replacing certain letters with numbers theoretically makes words and phrases harder to guess, which is the whole point. But practical constraints muddy the logic. According to Vox, the average person has 27 separate log-ins. People, understandably, fall back on simple and similar variations of the same words and numbers.

IN: Long, memorable phrases

Is there something that happened to you that only you could recall—“thebelmontbusisalwayslateontuesday”? Or a private joke, or special memory, that you can uniquely conjure—“atebadmusselsinmissouri”? This kind of unusual but intuitive phrase takes bad guys much more effort to crack.

OUT: Regular password resets

As mentioned above, when people reset their passwords, they’re not doing so wholesale. They’re changing a character here or there. It’s easy to understand why, but doing so defeats the purpose of the reset to begin with, and puts people at high risk of a password hack.

IN: Passwords that never expire

Enter the new NIST recommendation: Reset your password only in the event of a security breach. Or only if you have a credible suspicion that you’ve already been hacked. Once you’ve settled on your long and unique phrase, you’re good.

OUT: Memorizing your passwords

Recent human behavior suggests that we’re bad at this; that’s why we use slight variations on the same password for everything. And that’s why resetting and remembering and keeping track of our password cache is so frustrating. Again, it’s the infomercial adage: Isn’t there a better way? There is!

IN: A password manager

This type of service—LastPass, for example, is reliable and authoritative—houses all your disparate passwords and encrypts your information so it’s doubly difficult for bad actors to confiscate it. Many password manager apps come with browser plug-ins, too. They reduce your hassle and make organizing and retrieving your passwords easier.

The premium on data security has never been higher, so it pays to adapt. Soon, password requirements, like character counts and numeral mandates, will change, reflecting the new NIST information. With that, you should change your password strategy too. Follow the NIST guidelines, and reap the rewards. Good luck out there!