Apps and websites have a bunch of rules to make your passwords safer — lots of characters, special symbols and frequent resets. But a federal tech agency is saying some requirements do more harm than good.
The National Institute of Standards and Technology (NIST) proposed new guidelines for protecting people’s digital identities from fraud. Among them are bans on password rules that cybersecurity experts have long been calling outdated. No more asking for special characters such as “%” and “$,” for instance. And no more security questions about your first pet or childhood best friend.
NIST said the changes are meant to help consumers choose strong passwords and avoid wasting time on unhelpful requirements. Research also suggests all those extra asterisks didn’t make our passwords that much safer.
“Highly complex passwords introduce a new potential vulnerability: They are less likely to be memorable and more likely to be written down or stored electronically in an unsafe manner,” NISTS’s latest proposal reads.
If the guidelines go into effect, companies, government agencies and other online service providers would have to stop prodding you to reset your password every few months. Microsoft, for its part, called the practice “ancient and obsolete” before it stopped requiring periodic password changes in 2019.
“Regular password changes tend to lead people down a path toward worse passwords overall,” said Hans Raj Kumar, director of product management at password manager provider Dashlane. “Who hasn’t at some point simply changed a number at the end of a password?
NIST’s proposal required sites to stop barring certain special characters, and recommended that they allow spaces and unicode characters into passwords. So your new password might be a phrase such as “A Swim in the Pond in the Rain” or “Good times never felt so good.”
Cybersecurity experts are pushing to get rid of passwords altogether in favor of something with less room for human error. Until then, here’s the password wisdom that inspired NIST’s rules.
Stick with what’s working
Frequent password changes probably make you more vulnerable to a digital break-in. No need to change your passwords unless you’ve been affected by a data breach, NIST says.
In case of a data breach, the company at fault should contact you by email or snail mail, letting you know your information was compromised.
If that happens, change the passwords to your health, financial and social media accounts. Then call the big three credit reporting firms and ask to freeze your credit.
No easy passwords
We’ve put an eternal moratorium on “password123,” but don’t stop there.
Passwords should be longer than eight characters — ideally, at least 15, NIST says.
Don’t draw on anything contextual, such as the name of the website or your username. Avoid referencing things from your life, such as children’s or pets’ names. (Cybercriminals have access to Facebook, too.)
Also, no flipping to a random word in the dictionary and using that as a password — computerized “credential stuffing” attacks automatically plug in existing words, but they lack the power to guess every single combination of words and letters, so opt for a phrase or add some numbers and symbols.
Of course, the more complex your password gets, the harder it becomes to remember. Market research firm Forrester estimated in 2020 that employees spend 11 hours a year trying to remember or resetting their passwords. That’s a lot of time down the drain. Which leads us to:
Use a password manager
Storing your passwords in a spreadsheet, notes app or physical notebook puts you at risk. These programs weren’t designed to protect important credentials from fraudsters, and if you lose or delete your list, you might be out in the cold.
Instead, start using a password manager, which stores your passwords and automatically fills them in when you log into an app or website. They’re safer than a spreadsheet because they keep your credentials hidden behind a password. Some services even hide your passwords from themselves using encryption.
We’ve tested different password managers and recommend Dashlane or 1Password. Apple and Google also offer password managers that sync across your devices — so an email password you set on your MacBook, for example, would also appear when you sign into email on your iPhone.
For help setting up a password manager, check out our guide.
Opt for passkeys
Passkeys are like a one-and-done version of passwords: You set them up once and, after that, get logged in automatically. Instead of entering credentials, the app will ask for the same face or thumb scan you use to unlock your device. They work by using cryptography to prove you are who you say you are.
Google, Microsoft and other major providers support passkeys, and your password manager should store them along with your other passwords. (A passkey is a giant string of characters, so you’ll never have to remember or safeguard it yourself.)
For help setting up a passkey and answers to all your questions (like what happens if you lose your device), read our guide.