You've been using passwords wrong! Security experts issue new guidelines that go against everything you know
All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
You don't need to worry about memorising a random jumble of letters, numbers, and symbols
- New guidelines from NIST contrasts with years of common practices
- The US government agency plays an influential role in cybersecurity worldwide
- You should not rely on complex alpha-numeric passwords
- Instead, focus on longer passwords made up of recognisable words
- Song lyrics, common phrases, and lines of poetry can all work as a passphrase
- NIST suggests allowing people to use up to 64-characters for their passwords
- Companies should not force employees to regularly change passwords, it adds
- Studies show this regularly causes the strength of passwords to deteriorate
- Password managers will still be critical to store login details
- As we move to passkey and other new technologies, these apps will stay helpful
Don't Miss
Most Read
Trending on GB News
Chances are, even if you rely on 'password123' to login to your online account, you probably know that best practice says you should use a complex password that mixes letters and numbers and is regularly changed.
Except that, it turns out that might not be the best way to keep your digital data under lock and key.
That's according to new guideance issued by the National Institute of Standards and Technology (NIST) — a government agency that sits under the umbrella of the United States Department of Commerce — that marks a significant shake-up to cybersecurity advice.
Get started with NordPass password manager for FREE
With NordPass, you'll be able to generate long and unique passwords for every online account that will be encrypted and stored in your own personal digital vault. NordPass, from the team behind the award-winning NordVPN, has apps for dozens of devices, from iPhone to Android, Windows to Mac. It will even warn you when a service you use has been compromised in a hack
The new recommendations for US citizens, published last month, suggests moving away from complex passwords and frequent changes towards longer, simpler passwords that stay-in-place for longer.
Of course, the NIST has no direct authority in the UK, but its guidelines are widely respected and are extremely likely to influence password policies globally. This change reflects a growing consensus among security experts that traditional password practices may be counterproductive to online safety.
- View Deal | Get started with NordPass for £0
- View Deal | Get started with 1Password for £0
- View Deal | Get started with Dashlane for £0
For years, cybersecurity experts advocated for complex passwords combining upper and lowercase letters, numbers, and symbols as these were believed to be more secure against hacking attempts.
However, the latest guidelines from the NIST challenge this approach and claims longer passwords are more effective than complex ones. This shift comes as multiple studies revealed users often struggle to remember intricate passwords, leading to poor security habits like reusing passwords across multiple sites, relying on easily guessable patterns, or worst of all, writing down their passwords.
Angela Sasse, from University College London, told The Times: "I hope this will be a tipping point. There’s been this idea in the security community that if we make something easier, it makes it less secure."
The latest guidance from the National Institute of Standards and Technology is in direct conflict with many common-held assumptions about passwords
GETTY IMAGESNIST now advises against forcing periodic password changes even few months — another common cybersecurity practice, especially within large corporations. Once believed to be essential to maintain strong security practices, this usually results in employees picking weaker and weaker passwords each time.
"You can’t ignore actual human capabilities,” she adds. "When you use a password, it’s embedded in your memory. After you change it, your memory struggles — the old one is still embedded. It has been demonstrated with large scale databases that the more often passwords expire, the weaker they get."
NIST now recommends allowing users to create passwords up to 64 characters in length. A 64-character password using only lowercase letters would be extremely difficult to crack, whilst including capitals and symbols would make it nearly mathematically impossible.
Critically — these lengthy passwords do not need to be a random jumble of characters, but can be passphrases, poems, or song lyrics so they're easier to recall, reducing the likelihood of insecure practices, like writing passwords down.
Password managers are likely to play a crucial role in implementing these new security recommendations for most people. For those unfamiliar, this applications offer a secure vault to create store unique, lengthy passwords for every online account — without the burden of memorisation. You only need to recall a single password (to unlock the vault itself) and then everything else is auto-filled on your device with a tap.
Many of these services, like 1Password, Dashlane, and NordPass, to name just a few, can use the biometric security features on your smartphone, tablet, or laptop — like fingerprint or facial recognition — to unlock the vault too.
Apple has launched its own standalone password manager app across iPhone, iPad and Mac with its latest free software update.
Despite the push for stronger passwords, many users still rely on easily guessable combinations. According to NordPass, the most common password of 2023 was "123456", used over 4.5 million times. Other weak passwords in the top 10 included "admin", "12345678", and "password".
Ethical hacker Joe Cockroft warns against using identifiable information like favourite football teams or family names in passwords since these details can all be easily guessed from social media profiles.
For the best results, use these tips when setting a new password:
- Create unique passwords for each account
- Use passphrases of at least 15 characters
- Avoid easily guessable information
- Consider adopting a password manager
- Embrace newer authentication methods, like passkey, wherever available
As we transition away from traditional passwords, password managers will continue to play a vital role in online security since these tools not only generate and store complex passwords but also facilitate newer authentication methods, like passkeys.
Passwords is a newly designed app for iPhone, iPad, and Mac created by the teams at Apple to manage, generate and store passwords for every website, subscription or app you use. Everything will be accessible across devices and encrypted before it's stored as part of an iCloud plan
APPLE PRESS OFFICE | GBNPasskeys, considered a promising alternative to passwords, are gaining trust among individuals and companies worldwide. Unlike passwords, passkeys are resistant to phishing attacks, making them more secure than one-time codes sent via SMS.
LATEST DEVELOPMENTS
- Update to your Sky Q box will alter 12 popular channels
- WhatsApp announces free upgrade to video calls
- Microsoft confirms when 'privacy nightmare' AI screenshot tool will launch
- Best VPN deals
Major tech companies like Microsoft, Google, and Apple are working together to bring passkeys to the web as an industry standard, signalling a potential future beyond passwords. Elon Musk recently talked about the promise of passkey and enabled this security system across X, formerly Twitter.
The landscape of password security is evolving rapidly. Whilst complex passwords were once the gold standard, experts now recommend longer, simpler passphrases and downloading a password manager, or using a preinstalled tool like the Passwords app on Apple devices or the Password Manager baked into Google Chrome, is important to implement the latest practices.