New password guidelines for 2017 and beyond

Storing personal and business information in the cloud definitely offers advantages, but not without risk. Whether it’s your online banking site, Dropbox password, or any other online platform, maintaining strong passwords is crucial to keeping your data safe and secure.

Recently, the advice for what constitutes a good password has changed. Since 2003, the National Institute of Standards and Technology (NIST) stood behind its publication called NIST Special Publication 800-63, appendix A. This influential eight-page document proposed guidelines that have been standard issue security requirements ever since. You’re likely aware of (and annoyed by) some of its proposals like using special characters, changing your passwords regularly, etc. But in August 2017, Bill Burr and several other security experts rewrote this document from the ground up.

Traditional advice makes passwords harder to remember and easier to crack

As it turns out, Burr and his colleagues had been proposing the use of passwords that make them harder for humans to remember, but easier for computers to crack. A lose/lose situation, for sure. How could this be?

  1. Using a password like P@$$w0rd123! Might seem like a good idea, but since 2003, the practice of replacing letters with special characters and numbers has increased significantly, making it easier for hacking tools to figure out.
  2. Forcing people to update their passwords regularly only weakens passwords because it incentivizes lazy updates. For instance P@$$w0rd123! might easily be changed to P@$$w0rd456! Which doesn’t really help you out.

Revised password guidelines keep sensitive data safe

Here are some of the revised password guidelines from the NIST that we recommend adopting in your own password strategy. These suggestions may go a long way to keeping your sensitive data out of the hands of hackers.

  1. Make your passwords longer, but (unless the website requires it) don’t worry about special characters and numbers. Trying to remember nonsensical combinations of special characters and numbers doesn’t really help you out security-wise and only makes the password harder to remember.
  2. Make your passwords into phrases replete with punctuation and spaces. If you can make the sentence nonsensical. For instance: “Giraffe bologna is blue.” Is weird enough to be memorable but would take a computer a very long time to crack.
  3. Don’t worry about updating your password every 90 days. Unless you know your password is too weak, it’s probably safe to leave it alone.
  4. Do not reuse passwords from other sites.

Different websites have different standards for accepting a password. Meeting these standards while taking the password guidelines listed above will go a long way in minimizing your risk of being hacked.

One way to help secure your clients’ data is to use portals to exchange documents. To learn more, download our e-book: The Power of the Portals.


Jonny Rector

Senior Technology Product Manager

All stories by: Jonny Rector