Password Length = Password Strength
Updated: Jan 5, 2022
It’s time to unlearn everything you thought you knew about password strength.
Here’s the background:
Bill Burr might not be a name you know, but he’s played a big role in your password policies for the last decade and a half. In 2003, while working as a manager at the National Institute of Standards and Technology (NIST) he created best practices for passwords, which were put in place by companies all over the world. The ever familiar variety of upper and lowercase letters, numbers, specials characters, coupled with frequent password rotation, supported Bill’s idea that the more complex you make a password, the harder it is to crack.
However, consider the number of sites that require passwords. Nobody wants passwords that are difficult to remember. So it turns out, we go to great lengths to make them simple. This leads to bad passwords, which compromise data security. This is why Bill’s policy failed. It didn’t account for human factors.
For example, “a” is substituted with “@”. Or updating a password equates
to adding a number to the end of the prior password.
In 2017, the NIST went back to the drawing board and released a new set of password standards. This time they embraced the philosophy that the easier a password is to remember, the better it may be. The current standards suggest that length is more important than character/symbol/number variations.
In other words, “P@ssw0rd!” is not as strong as “DiscreetWordsSiteStrength”.
So what does this mean for you?
You are always on the front line of protecting your own data. Although standards are changing, there are still people clinging to old modes of thinking. We believe an informed and educated consumer is the best consumer and we have a part in fostering this education and dialogue. Next time you log onto any site with your sensitive data, consider updating your password. And remember, the longer the better.