Tech Talk Live Blog

New Password Guidelines

Brian Steigauf

Everybody knows the routine, you have to change your password (because your IT or technology department is making you). So, you go through the process of coming up with some way of fitting your company’s password policy. I will make a guess of what it is . . . a minimum of seven characters, at least one numeral or special character, and you have to change it anywhere from every 30 days to six months. “This is what was needed to ensure good security,” we were all told. Unfortunately, we all knew it was not true. These rules came from the National Institute of Standards and Technology (NIST), and for 2017, they have received a badly needed upgrade.

What you need to know

The best password is still a long (16 plus characters), randomly generated, complex (alphanumeric and special characters), and unique password which is easily accomplished with a password manager (see previous post on password managers). Those passwords are incredibly hard to brute force but very hard for humans to remember.

The NIST guidelines have removed the complexity song and dance from their guidelines, which creates a false sense of security and makes it harder for users to create a password. For most users, the complexity requirement is met by adding a “1” or a “!” at the end or being super crafty and replacing and “e” with a “3” or an “S” with a “$,” something that every cracking application knows.

The guidelines have also removed the requirement for frequently changing passwords. Humans are creatures of habit and forcing them to change their password results in predictable new passwords (for example from “12345” to “54321”). This also results in users writing down their passwords on a Post it® note and placing it on their monitors.

Finally, the password length has been raised to a minimum of eight characters and allows for passwords up to 64 characters. I feel eight characters is not enough, but may have been needed for some legacy government systems. It is a fact that longer passwords are better and in today’s highly optimized hardware password crackers, eight characters is just not enough.

The NIST guidelines help with allowing users to make better passwords, but users will always complain that coming up with memorable, 16 or more character passwords is impossible. Here is an easily remembered technique for creating stronger passwords.

Now, if you could only get users to not reuse that password on every site . . . sigh.

Tech Talk Live Blog Comment Guidelines:

One of our main goals at Tech Talk Live is to build a community. It is our hope that this blog can be a forum for discussion around our content. We see commenting as an integral part of this community. It allows everyone to participate, contribute, connect, and share relevant personal experience that adds value to the conversation. Respect counts. We believe you can disagree without being disagreeable. Please refrain from personal attacks, name calling, libel/defamation, hate speech, discriminatory or obscene/profane language, etc. Comments should keep to the topic at hand, and not be promotional or commercial in nature. Please do not link to personal blog posts, websites, or social media accounts that are irrelevant to the conversation. This is considered self-promotion. We welcome links that help further the conversation and reserve the right to delete those we deem unnecessary. The appearance of external links on this site does not constitute official endorsement on behalf of Tech Talk Live or Lancaster-Lebanon Intermediate Unit 13. You are solely responsible for the content that you post – please use your best judgment. We reserve the right to remove posts that do not follow these guidelines.

Leave a Reply

Your email address will not be published. Required fields are marked *


Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.

1020 New Holland Avenue, Lancaster, PA 17601

(717) 606-1770