New password guidelines: What to know

The National Institute of Standards and Technology is issuing new guidelines to make passwords easier to manage and more secure.

The new guidelines will do away with special character requirements, mixing upper- and lower-case letters and periodic password updates.

Periodic mandatory password updates were implemented as an attempt to keep accounts safe. If a hacker had obtained your password, being forced to change it would lock the attacker out. But Lorrie Cranor, director and Bosch distinguished professor in security and privacy technologies of CyLab at Carnegie Mellon University, says that’s not the reality.

“What happens in reality is if you know that you're going to have to change your password every three months, most people just come up with a pattern and they just change their password according to that pattern,” Cranor says. “The attackers can figure that out too, so it's not really helping security.”

Will these new guidelines make it easier to remember passwords?

“It might be easier for you to remember, depending on the password you pick. The problem is that most of the passwords that are really easy to remember are also predictable and easy to guess. So the best passwords are really completely random passwords. And most of us are not really very good at remembering them.”

What makes a good, secure password?

“A completely random password is ideal, and that means you're going to have to either write it down or use a password manager because most of us can't remember them.

“If you want a more secure password that maybe you have a better chance of remembering, what I like to do is to think of a phrase that I will remember — preferably not song lyrics or a quote or something that other people know — and then I take the first couple of letters of each word and string them together. And then I do like to take a digit or a symbol and kind of put it in the middle somewhere. That gives you a nice password that is not so predictable and that I would have a chance of remembering.”

Do you recommend people use password managers? Are they secure?

“I'm a big fan of password managers and I've been using them myself for almost a decade.

“Some people are concerned about them because they say, ‘What if my password manager gets hacked?’ Or every now and then you'll read a news report that a big password manager has had a security problem.

“The reality is that that doesn't happen very often. And when it does happen, usually you're informed right away. And so, as a result of these occasional breaches, there hasn't been a lot of damage, relatively speaking.

“On the other hand, if you don't use a password manager, what most people do is they use the same passwords over and over again. And if you do that, if any one of those accounts is breached, then, effectively, all your accounts are breached, because the attackers, when they get those passwords, they just go try them at all your other accounts.

“If you use a password for an account that you don't really care about and you haven't used it in years, and it gets breached, you don't even know that that happened. Now, all of a sudden, that attacker has your bank account password or something. It becomes kind of this mass, mass data surrender.”

 Julia Corcoran produced and edited this interview for broadcast with Catherine Welch. Grace Griffin adapted it for the web.