Password Guidelines Changed – What to Do Now?

In the last post we looked at the startling news from August 2017, that had us all scratching our heads on the topic of “strong passwords.” Seems like everything we had been taught to do was now deemed wrong!

If you missed that post, I suggest reading that first. Miss that UPDATE Part 1? CLICK HERE to catch up!

This post, UPDATE Part 2, picks up right where Part 1 left off.



Have You Done This with YOUR Password?

We human beings are such predictable critters! The 2003 National Institute of Standards and Technology guidelines for passwords (authored by Bill Burr) led us astray and left our accounts vulnerable to hacking. In addition to what we covered in September’s post, is the thought that passwords needed to be changed frequently. How often have we been notified that, your current password has expired? Turns out that changing our passwords every 90 days made our accounts easier prey for hackers. Here’s how.

To keep OUR lives simple, we’d typically (and predictably) update our current password by adding something very simple – a single letter, number, or punctuation – to the end. Sometimes we might add our birth year, age, or other bit of personal info generally available as digital data points. These bits of personal info have been aggregated over time through multiple online sources and comprise a readily accessible digital database. Scary stuff.

Human nature also worked to our disadvantage because we believed in the invincibility of our STRONG passwords. We thought, “Why not use that ONE strong password for multiple accounts?” This further compounded our vulnerability.

It’s okay, we have some solutions ahead!


10 NEW Password Habits to Embrace

First, break yourself of ALL of the Bad Password Habits listed in last month’s post and replace those old habits with these NEW ones! In 2017, the National Institute of Standards and Technology updated their password guidelines to include things like these.

  1. Use long 20-40+ character passwords
  2. Use multi-word phrases (passphrases)
  3. Use odd and obscure words
  4. Eliminate all word pairings
  5. Use words completely unrelated to each other
  6. Separate these words with spaces
  7. Create as much randomness as possible
  8. Think of nonsensical words, phrases, or spellings that might only make sense to you
  9. Include unrelated words from multiple languages
  10. Above all else… Create maximum entropy!


What is Entropy in a Password?

Entropy references several things. In a nutshell, it quantifies how tough a password is to crack. It considers how random it is and how long it would take to bust through. In the “real world” you have likely seen a safe with a combination lock, the type you might see at a convenience store or jewelry shop. These safes have a particular rating from Underwriters Laboratories. For instance, a safe with a “UL TL 15” burglary rating means that, “The door successfully resist entry for a net working time of 15 minutes when attacked with common hand tools, picking tools, mechanical or portable electric tools, grinding points, carbide drills and pressure applying devices or mechanisms.”

Think of “bits of entropy” as the things that determine the “burglary rating” of your password. The MORE bits of entropy you have in your password, the harder it will be to crack your online safe. The recommendation for LONG passwords/passphrases comprised of random words = MORE entropy!


A Few More Things You’ll Want to Know

How do you put all this into practical application in a way that will keep you sane and protect your accounts from the ner-do-wells out there? Click through to November’s post where we wrap up this extended series on Password Security and give you simple steps to make those online accounts as safe as possible!


estate_planning_living_trust_preparation_losgatos_Diane M. Brown, Esq.
Working every day to keep my clients out of court!
It’s your money… Let’s keep it that way!
Call 408.376.2755



This blog contains general information and is not meant to apply to a specific situation. Please seek advice of counsel before proceeding as each case is unique.


No comments yet.

Leave a Reply