The New Password Rules: Everything You Thought You Knew Is Wrong

It turns out that everything you thought you knew about creating a secure password is wrong. You know the rules: mix letters and numbers, use special characters like pound signs or exclamation points, use both capital and lowercase characters, make it 10 to 12 characters long, and make sure it isn’t an actual word or phrase.  Something like U2kx9H3&*7q! would be ideal. Plus, change that password every 30 to 90 days.  Well guess what?  The guy that came up with those rules says they’re all wrong.  These strong password rules have been adopted by companies, the government, and websites. Turns out they aren’t that effective.  Yes, it’s safer than 123456 or “password” as a password. But how much safer?


Bill Burr came up with these rules 18 years ago while working for the National Institute of Standards and Technology.  It turns out that since these passwords are harder to remember, people tend to go for the simple ones. Plus, when they change them, they often only change on or two characters. Also knowing that a site requires one capital letter and one special character can tip hackers off when guessing a password.

Most hackers aren’t trying to guess your password manually. They’re using a program that generates combinations of letters and numbers, trying everyone that’s available. So you end up with passwords that people have problems remembering, but computers can guess pretty easily.

So what are the new rules?

  1. No more changing passwords every month or two.
  2. Get rid of requirements for upper/lower case letters, numbers, and special characters
  3. Create a password up to 64 characters in length. An uncommon phrase familiar only to you is a good choice. Example: “auntsallylovesgreentomatopicklesbutonlyinseasonwithhomemadebread”
  4. Check all passwords against lists of frequently used passwords or passwords that have been compromised.  Click here to visit PWNED Passwords. This site will let you know if your password has been used in any data breaches.


Though many tech companies have been pushing for more biometrics, the new NIST rules warn against relying to heavily on facial recognition, fingerprints and retina scans, saying these should only be one part of security.  Among the suggestions for businesses and others trying to make accounts secure:

  1.  No more security questions or password hints.
  2. A delay of at least 30 seconds after a failed password attempt and allowing no more than 5 consecutive attempts to input a password before shutting down the account.
  3. Require multi-factor authentication.
  4. Do away with requirements for special characters, capital letters, and numbers.
  5. Allow passwords up to 64 characters in length.
  6. Don’t require users to change passwords unless there’s an issue.

What do you think about the new rules? Does it seem like a simpler way to do things? Let us know in the comments.

7 thoughts on “The New Password Rules: Everything You Thought You Knew Is Wrong

  1. It appears the reason for the new advice is that hackers used to know something about you – city, birthday, etc – common easy passwords – but now the hacker uses his computer and bombards the target with thousands of possible passwords. I used to believe that using first letters of a known expression would do the trick. Now it seems bulk over complexity.

    1. The reason for the length is that the longer the phrase, the longer it takes the computer to come up with possible combinations. It takes longer to crack, King Phillip Came Over For Good Scones than KPCOFGS.

  2. Why input a password into a website to see if it has been compromised? Seems illogical and open to more exposure to hacking.

  3. Thanks for the information.

    I have retired for a number of years so my need for extra password security is minimal beyond banking websites. However, I find it difficult to use even the simplest passwords without automatic logins. I can’t imagine attempting to type a 20 character password every time I wanted to open a system or access a website, let alone 64 characters.

    I recently had an issue with paying one of my credit cards. With a change in the banks security system, I could no longer save the login and password and they limit the number of attempts to access the site to no more than five, I think it is three tries. Failure locks the system. The solution is to call customer service to have the account unlocked.

    The last time this happened, I was walked through the process of clearing my cache, which included every login ID and password. I did get access to this account but I am still trying to access accounts that I don’t use on a regular basis.

    With a baking app I understand the issue. However, to prevent me from accessing an organizational app because the banking app needs special treatment is unacceptable.

    Again thanks for the updates. I appreciate it.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.