Most Unexpected Guideline when Choosing Passwords

This post is also available in: עברית (Hebrew)

Many people use simple and weak passwords for their devices, making it easy for intruders to hack their phones, computers, emails etc. Many employees use weak passwords and are completely unaware of it. They can’t imagine their specific password is a common password that’s being chosen by other people as well.

The US National Institute of Standards and Technology (NIST) issued new guidelines, stressing that password length is much more important than password complexity.

The recommendations advises organizations to require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters. Instead of using a short, complex password that is hard to remember, consider using a longer passphrase. This involves combining multiple words into a long string of at least 15 characters. The extra length of a passphrase makes it harder to crack while also making it easier for you to remember.

Password phrases should not only be long, but preferably, the passphrase should combine multiple unrelated words, such as “DirectorMonthLearnTruck.”

Additional recommendations by NIST to organizations include, according to hstoday.us:

• Only require password changes when there’s a reason to believe your network has been compromised.
• Have your network administrators screen everyone’s passwords against lists of dictionary words and passwords known to have been compromised.
• To help prevent a denial of service attack against your email service, don’t lock a user’s account after a certain number of incorrect login attempts. That way, even if an adversary floods your network with purposefully incorrect login information, your users won’t be locked out of their accounts.
• Don’t allow password “hints.”