University of Wisconsin–Madison
Computer displaying password window

The rules have changed: a new approach to creating passwords (UPDATED)

Please note the correction to this article originally published on Feb. 12, 2018. The suggestion or implication to disregard the practice of using “… different passwords for different accounts or apps” is not listed in the NIST guidelines referenced in the article, and is therefore still considered good practice in creating strong passwords.

You know what the worst passwords are (and yours aren’t on the list). But now it’s time to change your password creation strategy.

In 2017, the National Institute for Standards and Technology (NIST) released NIST Special Publication 800-63B: Digital Identity Guidelines, Authentication and Lifecycle Management which includes revised guidelines for creating strong passwords. These new guidelines include:

  • Keep passwords simple, long and memorable
  • Include phrases comprised of typical English words, in uncommon combinations (e.g., poolpartyladderplatypus)
  • No need to update or change passwords regularly (if new guidelines adhered to)

These recommendations are a substantial change from previously well-regarded guidelines that have included: make a combination of letters, numbers and special characters; change passwords for all your accounts regularly, and use different passwords for different accounts or apps.

The goal with these new guidelines is to help users create longer passwords that are more difficult for hackers to break. Along with these new recommendations, you should still consider using a password manager such as LastPass or KeePass to store all your passwords in one place. If you would like to find out how secure your password is, you can visit https://howsecureismypassword.net/. This site will show you the approximate number of years it would take for your password to be hacked.

Learn how to select, manage and protect your passwords