New Password Guidelines

Welcome those of you who have arrived on this web page from a link in our Fall 2017 Small Business Newsletter.

The following article was originally published by CCH Site Builder, a Wolters Kluwer Company, in November 2017:

Is this your P@$$w0rd?: New password guidelines for 2017

Until very recently, the National Institute of Standards and Technology (NIST) stood behind its 2003 publication called NIST Special Publication 800-63, appendix A. This influential eight-page document proposed guidelines that have been standard-issue security requirements ever since. You're likely aware of (and annoyed by) some of its proposals, such as using special character, changing your passwords regularly, etc. But in August 2017, Bill Burr and several other security experts rewrote this document from the ground up.

As it turns out, Burr and his colleagues had (unknowingly?) been proposing this use of passwords that make them harder for humans to remember, but easier for computers to crack. A lose/lose situation, for sure. How could this be?

Using a password like P2$$w0rd123! might seem like a good idea, but since 2003, the practice of replacing letters with special characters and numbers has increased significantly, making it easier for hacking tools to figure out.

Forcing people to update their passwords regularly only weakens passwords because it incentivizes lazy updates. For instance, P@$$w0rd123! might easily be changed to P@$$w0rd456!, which doesn't really help you out.

Here are some of the revised guidelines from the NIST that we recommend adopting in your own password strategy. These suggestions may go a long way to keeping your sensitive data out of the hands of hackers.

Make your passwords longer, but (unless the website requires it) don't worry about special characters and numbers. Trying to remember nonsensical combinations of special characters and numbers doesn't really help you out security-wise and only makes the password harder to remember.

Make your passwords into phrases replete with punctuation and spaces. If you can, make the sentence nonsensical. For instance, "Obama's ice cream was a Corvette." is weird enough to be very memorable but would take a very long time to guess.

Don't worry about updating your password every 90 days. Unless you know your password is too weak, it's probably safe to leave it alone.



8321 Main Street
Williamsville, NY 14221

Ph: 716.633.1373
Fax: 716.633.1099