The NIST’s updated password advice: use passphrases

MacBook, coffee mug, and cactus

Last updated on March 19th, 2023

For years, password creation advice has consisted of variations on “use a mix of lower case letters, upper case letters, numbers, and special characters.” There’s also “change passwords regularly” and “make sure it’s memorable, but not based on real words.” Given the complexity of all of this, it’s probably not surprising that we end up with situations like a history of poorly created passwords.

Now, it seems there’s been an official shift in thinking. The National Institute of Standards and Technology (NIST) has changed its long-standing password advice, created by then-manager Bill Burr back in 2003. To quote NPR’s article:

“The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users,” says Paul Grassi, senior standards and technology adviser at NIST, who led the new revision of guidelines.

The organization suggests keeping passwords simple, long and memorable. Phrases, lowercase letters and typical English words work well, Grassi tells NPR’s Audie Cornish. Experts no longer suggest special characters and a mix of lower and uppercase letters. And passwords never need to expire.

Basically, users should create long, random (but memorable) passphrases instead of passwords. Even Bill Burr, the NIST manager who wrote the original password creation advice, now feels his original advice is flawed.

The merits of passphrases

Some have advised using passphrases for awhile now. Their main advantage over passwords is simply their length; the longer it is, the more resources and time it’ll take for a miscreant’s computer to guess it (via a brute force attack). “B@tman1939” fits the usual password creation advice, but “BatmanCreatedDuringGreatDepression” is supposedly more secure. (Note: do not use these or any of the other examples of passwords/passphrases in this post.)

The webcomic “xkcd” has a well-known strip touting the merits of creating passphrases, for the reasons the NIST cite above.

Passphrase creation tips

Password screen
Photo by Marc Falardeau (Flickr / CC BY)

One site offering help with creating passphrases is Diceware, a site offering a list of random words (and means of selecting them).

If going with passphrases, there’s a few things to keep in mind:

  • They need to be sufficiently long (which is the point). Diceware recommends at least six words, or five words plus an extra character.
  • Don’t use a famous quotation, religious scripture, saying, or character from popular culture. So no “That’s All, Folks,” “four score and seven years ago,” or “Batman: The Dark Knight Returns.”
  • It should still be hard to guess, even by someone who knows you.
  • A passphrase should be easy to remember.
  • It should be easy to type accurately.
  • Don’t reuse passphrases on more than one account.

Some also recommend combining the old password creation advice with the use of a passphrase. For example, “B@rtSimpson89! Saxophone Donuts Skateboard Beehive.”

Use a password manager (still my advice)

Even if you go the passphrase route, I’d still recommend using a password manager such as LastPass. Password managers can generate passphrase-length random passwords and manage/store all of them. It’s better than trying to remember dozens of unique passwords/passphrases for multiple websites.

A passphrase could then just be used for, say, the password manager itself, or a few other uses (such as computer logins).

How do you feel about passphrases, or password creation in general?

Anthony Dean

Anthony Dean is the owner of Diverse Tech Geek and Diverse Media Notes.

View all posts by Anthony Dean →

Leave a Reply

Your email address will not be published. Required fields are marked *