Employee-friendly Content

Wait, the new password guidelines are simpler?

The NIST has updated its password guidelines to be less complicated—but are simple passwords safe?

The National Institute of Standards and Technology (NIST) recently updated their Digital Identity Standards. I bet you haven’t read them, but the NIST guidelines affect how sites and apps create password requirements, and they affect the advice we share with you. And guess what? The new password guidelines are a lot more relaxed than before. But hackers aren’t taking a break, so what gives?

Password GuidelinesPreviously, the NIST told us to create complicated passwords with numbers and special characters (P@S5w0rd!), to use a different password for every site, and to change them regularly. In reality we’re using the same few passwords everywhere, changing them by one or two characters when we have to, and often writing them on sticky notes or keeping them in our contacts. Am I right?

It turns out that by creating these complicated passwords with a mix of letters, numbers, and special characters we make them so difficult to remember that we don’t follow important guidelines on how to store them. Sure, it seems like using more characters than the 26 in our alphabet means more hurdles for hackers, but actually using a longer password without special characters can be harder to crack. A series of funny, nonsensical words that you’ll remember is safer than a shorter, complicated password you’ll forget and tape to your computer. You’ll also decrease the chance of a complex algorithm’s ability to guess common word combinations and steal your password.

The team at WorkSmart also recommends finding a secure way to store and manage passwords so you can use a different password for different sites. As a Managed IT Service Provider, we offer our clients password management tools. And there are plenty of password managers out there for individuals, like LastPass and Dashlane. Plus, we strongly recommend using two-factor authentication when possible so a hacker can’t log in with your password alone. He or she would also need to have a second device, like your phone.

Check out our cybersecurity services for more on how we can help keep organizations safe from hackers.

In a nutshell:

  • Create long, memorable, simple passwords
  • Actually use different passwords for different sites
  • Use a password manager
  • Protect it with two-factor authentication (2FA) whenever possible