Having covered online security for more than two decades, I've seen password recommendations evolve dramatically over the years. More recently, there's been a move toward passwordless authentication like passkeys. But for now, strong passwords remain a critical line of defense against hackers.
The National Institute of Standards and Technology (NIST), the U.S. authority on password standards, is updating its guidance on passwords for the first time since 2020. This matters because many companies and government agencies rely on these standards, so the changes NIST recommends will likely impact how you create passwords going forward. Here's how the guidelines are changing.
What’s new in NIST’s password guidelines
The biggest update? No more mandatory complex characters. Instead of requiring a mix of uppercase, lowercase, numbers, and symbols, NIST now emphasizes password length. Research shows that longer passwords are harder to crack, even if they don't include a variety of character types. The minimum recommended length by NIST is eight characters. However, the minimum isn't good enough with the quickly evolving computational power of the modern GPUs used by hackers; I recommend 16 characters or more. Check out the 2023 Hive Systems Password Table below if you need any convincing.
To implement this effectively, consider using a passphrase – a string of random words that form a memorable sequence. For example, "blue elephant pizza mountain" is not only longer but also significantly easier to remember than a typical complex password like "P@vg0vj!63." You can also add a personal twist to make it unique, such as "blue elephant loves pizza," but avoid obvious combinations related to personal details.
For more detailed password guidance, read How to Create Strong Passwords
Another welcome change is the removal of mandatory periodic password changes. Hackers have known for years that most of us just change a number at the end of our passwords when forced to create new ones regularly. So, forcing people to change passwords frequently doesn’t necessarily improve security and, in fact, can make it worse. Studies have shown that when forced to change passwords frequently, users will opt for simpler passwords that are easier to hack.
Password managers: your digital security assistant
Understanding that it's difficult to manage all these long, unique passwords, NIST strongly supports using a password manager. And it's a tool I can’t recommend strongly enough.
A good password manager generates strong, unique passwords for each of your accounts and remembers them for you. It’s not just convenient; it’s a critical component of your online security strategy. Here's why I consider a password manager essential:
- It creates complex, unique passwords for every account
- You only need to remember one master password
- It syncs across all your devices
- Many offer secure sharing features for families or teams
- Some can alert you if your passwords appear in known data breaches
I personally use and recommend 1Password. It's user-friendly and works seamlessly across different devices and platforms. However, there are other excellent options out there, including some free alternatives:
- iPhone, iPad, and Mac users: Use Apple's built-in password manager. With iOS 18, there's a dedicated Passwords app.
- Android and Chrome users: Google's password manager is a solid choice
Read more: Everything You Need to Get Started with Google Password Manager
While these built-in options are convenient, they don't offer all the features of a dedicated password manager, like sharing securely with anyone and saving important files or data like your passport number. But they're certainly better than not using one at all or, worse, reusing passwords across multiple sites.
Multi-factor authentication: your second line of defense
While strong passwords are crucial, they're not the only line of defense NIST recommends. Multi-factor authentication (MFA) adds an extra layer of security that can make a world of difference.
MFA requires you to provide two or more verification factors to gain access to an account. These factors typically fall into three categories:
- Something you know (like a password)
- Something you have (like a smartphone)
- Something you are (like a fingerprint)
By using MFA, even if a hacker manages to get your password, they still can’t access your account without the additional factor. It’s like having a deadbolt on your door in addition to the regular lock.
NIST strongly encourages the use of MFA wherever it’s available, and I couldn’t agree more. The common forms of MFA you might encounter are text message codes (SMS), authenticator apps (like Google Authenticator or Authy), hardware security keys (like YubiKey), and biometrics (fingerprint or face recognition).
While any form of MFA is better than none, some methods are stronger than others. For instance, SMS-based MFA is vulnerable to SIM-swapping attacks. If available, opt for an authenticator app or a hardware security key for the highest level of protection. In one recent case, a major data breach was thwarted because a user had enabled MFA through an authenticator app, preventing attackers from accessing their account despite having the correct password.
Read more: How to Tell if You're a Victim of Phone Cloning or SIM Swapping
Take time for a password checkup
I use a password manager and strong passwords for all my important accounts. However, with shifting recommendations, passwords that were considered strong just a couple of years ago no longer cut it. For instance, when I checked my banking passwords, I discovered they were too short based on current standards, even though they met other criteria for being "strong."
If you use a password manager for your accounts, you don't see your passwords when they're filled in and may not notice when they no longer cut it. So, take some time to review your important passwords. You might be surprised to find that some no longer meet current standards, even if they were once considered strong. Good password hygiene is an ongoing process.
Final thoughts
Staying ahead of hackers doesn’t have to be overwhelming. By following the latest NIST guidelines, using a password manager, and enabling MFA, you'll significantly enhance your online security. Stay safe out there!
[Image credit: Hive Systems, concept image via Midjourney]
For the past 20+ years, Techlicious founder Suzanne Kantra has been exploring and writing about the world’s most exciting and important science and technology issues. Prior to Techlicious, Suzanne was the Technology Editor for Martha Stewart Living Omnimedia and the Senior Technology Editor for Popular Science. Suzanne has been featured on CNN, CBS, and NBC.
