Your Password’s Not That Safe—Here’s Why and How to Fix It

Strong password tips

Forget everything you think you know about  “safe” passwords. 

You may think the key to a strong password is many characters pulled at random and spliced together.

Time has shown, however, that long, random mixtures of characters are only headache-inducing and frustrating —consider the countless attempts to remember the mumbo jumbo of letters, numbers, and symbols—they are also not actually secure.

What About Current Password Recommendations?

Originally, the recommendation to use strings of random characters comes from none other than the author of the password security guidelines, —Bill Burr.  Back in 2003, Burr was a manager at the National Institute of Standards and Technology (NIST) and was responsible for defining the guidelines for creating safe passwords. When working on his version, he relied on 1980’s white paper on password safety as a basis. The vast majority of admins and sites accepted these rules as a standard over the years. Passwords based on them are complicated to remember and use, to say the least. Burr’s password advice has prevailed on the web for for the last 14 years.

Now, however, the creator of the password guidelines is retracting his advice:Much of what I did, I now regret,” Burr told The Wall Street Journal.

What’s Wrong With Current Password Practices?

The fact is, the best practices laid down over the last decade and a half are deeply flawed because they don’t take into consideration basic human nature. Recommendations for changing passwords once every 30 days doesn’t boost security  since most users limit password changes to one new symbol in their old password. Other people might change the whole password, but have it written down, which isn’t secure either.

How to Create a Strong Password: The New Rules

In June 2017, the NIST presented revised guidelines, removing the requirement for special symbols. Instead, it suggests to use longer phrases.The biggest weakness  about the old guidelines s that more complicated passwords are easier to crack by brute force attack than a meaningless phrase. 

Password strength comic xkcd
Comic by
  • Use long phrases of real words pulled at random
  •  Check your email addresses and passwords against the database of leaked credentials due to data breaches.  One of  the largest databases is maintained by Microsoft Regional Director, Troy Hunt. It offers some additional info about securing your credentials and  can alert you if one of your accounts appears among compromised due to breach.
  • Do not use same password for several of your accounts
  • Instead of writing down multiple passwords, consider using password manager to store all of your credentials for various sites in one encrypted storage. The only password you’ll need to memorize is a master password for accessing your password manager.  See PCMag’s list of the best ones in 2017 .