Everything you know about passwords is wrong.

Make a nonsensical, memorable password

It’s a well-known fact: Security and Usability are sworn enemies. When we make our computers more secure, we make computer users more miserable. Right?

Not necessarily.

Let’s review the most recent guidance from the National Institute of Standards and Technology (NIST) on the topic of passwords. (Spoiler alert: Their new guidance is totally user-friendly.

But first, let’s frame the conversation.

Who hates passwords?

And who loves passwords?


We know, intuitively at least, that a password should be easy to remember and difficult to guess.

But over the past decade, the rules for password complexity and password changes have led users to create passwords that are difficult to remember — and easy for hackers to guess.

Don’t misunderstand — we need good passwords. According to the Verizon Data Breach Investigations Report, compromised passwords are responsible for 81% of hacking-related breaches.

That’s why NIST — the non-regulatory government agency that develops technology standards for passwords (among many other things) has revised its guidance for passwords.

Here’s a short, sweet, simple summary of their new guidelines for password creation:

Make one long password for each system you need to access.

That’s it. Make a long password for each system.

This is because each additional character in a password increases the time required for a hacker to crack a password. See these examples.

Cracking this password takes approximately 0.01 seconds

Cracking this password takes approximately 22.96 seconds

blue rabbit nine hats
Cracking this pass phrase takes approximately 3 thousand years

My blue rabbit has nine hats
Cracking this pass phrase takes approximately 14 trillion years

My blue rabbit has 99 hats!
Cracking this passphrase takes approximately 23 trillion years

Note the transition from a password to a passphrase. The goal is to combine words and characters into a passphrase that is sheer nonsense to a password cracker, but absolutely memorable to you — and only you. In other words, a poem or lyrics to a popular song would be weak, because others will recognize the song or poem. Better to go with a phrase of your own invention.

Of course, a combination of numbers, letters and special characters still helps. Numbers-only passwords are inherently weak since there are only ten possible numerals. However, there are 26 lower-case alphabet characters, 26 more upper-case letters, and approximately 22 special characters (allowed special characters vary by system). Each additional character set increases the pass phrase’s complexity and the difficulty of a brute-force attack.

So if My blue rabbit has 99 hats! is strong (23 trillion years), then My 6lue r@bb1t has 99 ha+s! is stronger (500 trillion years to crack). But which one is easier to remember? Probably the first one, which only takes 23 trillion years to track. Realistically, the sun will sputter out in about eight billion years, so I think you’re safe with the more memorable version — for now, anyway, since password guidance will undoubtedly be updated in the future to account for improved password-cracking techniques.

Meanwhile, there’s more to the updated NIST password guidelines, but the best and brightest takeaway is the simplest: Password length is more important than password complexity. It’s more fun, too.

(Password estimates by passwordmonster.com)