Passwords: Turns Out We’ve Been Doing It Wrong This Whole Time

How To Create A Better Password

Editor’s Note: Hackers will continue to look for new ways to outsmart their targets so, in response, we must remain vigilant when it comes to protecting ourselves and our organizations. The strength of our passwords is key in our efforts to thwart cyber attacks and data breaches. This article was originally published in 2017. However, the message is just as important and valuable as ever. Now then, let’s all improve our password practices!


Ever wonder who’s responsible for today’s password protocol? Think about the rules we’ve all grown to know and love tolerate … like using special characters, changing passwords regularly, incorporating irregular capitalization, and making sure to include at least one number … who came up with these standards and how did they determine their effectiveness?

* Drum roll please *

That would be the National Institute of Standards and Technology.

This organization set a precedent when it published “NIST Special Publication 800-63, Appendix A” back in 2003. It was at that time that the security requirements listed in that publications became standard issue for today’s digital identity guidelines. In retrospect, Bill Burr, NIST manager at the time, admitted that much of the 2003 document was somewhat misguided.

In 2017, several notable security experts took a stab at revising the document. This new version effectively rewrites the rules when it comes to defining the “right” way to craft secure passwords.

Think Smarter, Not Harder

As it turns out, Burr and his colleagues had been proposing the use of passwords that actually make them harder for humans to remember, but easier for computers to crack. The crazy password concoctions proposed might seem secure on the surface, but most people end up using the same techniques – and that is what makes them easy for hackers to predict and algorithms to target.

Choose Long-Term Relationships

When it comes to the practice of regularly updating your passwords, the experts now tell us that changing passwords every 90 days is a terrible idea. This almost forces users to make easy-to-crack passwords. When prompted to change their password, people tend to get lazy (shocker) and just change their existing password slightly in order to remember it (i.e., P@$$W0rd123! to P@$$W0rd456!).


Listen to episode 169, “The Cybersecurity Battle Plan For Businesses,” on Rea & Associates’ award-winning podcast, unsuitable on Rea Radio, featuring Paul Hugenberg III.

New Password Best Practices

Instead of using the password protocol that was passed down in the NIST’s original document, make it a point to adopt a password strategy that’s actually designed to keep your sensitive data out of the hands of hackers.

  1. Make your passwords longer and leave out the special characters and numbers (unless the website requires it). Trying to remember crazy combinations doesn’t help you out security-wise and makes the password more difficult to remember.
  2. Instead, use phrases with punctuation and spaces as passwords. If you can, make the sentence nonsensical and memorable, which will make it almost impossible for systems to make sense of. For example, according to the experts, “Cp@4m3!” could likely be hacked in three days. “Silly button holes drink lemonade,” written as a single phrase, on the other hand, might take 550 years to crack.
  3. Forget about updating your password every 90 days. Unless you know the password is weak or was issued automatically, it’s probably safe to leave it alone.

And for those who use password managers to generate cryptographically secure passwords on the fly, you’re still generally in the clear. However, it’s still important to have one hard-to-crack master password. Use the new guidelines to craft passwords that will truly keep your data secure.

Looking for more ways to protect your company from cybercrime? Email Rea & Associates to speak with a cybersecurity expert today.

By Ty Whittenburg (Columbus office)