Break the old password rules

Old rules:

1. Use uppercase and lowercase.

2. Include numbers.

3. Include punctuation.

4. Don't use dictionary words.

5. Make it at least 8 characters long.

6. Don't use personal information, like your birthdate.

7. Create a password with a random password generator.

New simpler, safer rules

The National Institute of Standards and Technology (NIST) has issued new, simpler rules:

1. Use 15 or more characters.* They can be just letters. You can use multiple words.

2. Don't use a password that appears in a breached password list.

Why the change?

Passwords like "45Mgy9-vJpo661" are strong, but hard to memorize. So you are apt write them down in places where they are easily discovered. A password like this is much safer: yellowoverviewhilltop.

It breaks old rules 1, 2, 3, 4 and 7. NIST has thrown out those rules. You can, too!

The 21-character password, "yellowoverviewhilltop" is 128 times stronger the randomly-generated 14-character password, 45Mgy9-vJpo661, despite its mix of numbers, letters and punctuation. And, by associating it in your mind with a made-up picture, one like "yellowoverviewhilltop" is much easier to memorize. For example, you could visualize viewing a yellow field from a lookout spot on a hilltop.

A three-word password is so memorable, with the help of a mental picture, that you don't need to have it instantly available. You can afford to write it down on a couple of pieces of paper and stash them in very secure places. If you forget your password, it will take you more time to retrieve it, but that shouldn't happen often with an easy-to-memorize password.

With the old password rules, too many people relied on being able to quickly refer to written-down passwords close at hand.

What about password managers?

Password managers are wonderful! You can not only save and use many, longer passwords safely, you can also fill them into websites without having to type them over and over. Yet with a password manager, you still need a single password that you have immediately available, either in your mind or at hand.

So for your main, password manager password, follow the two new rules:

1. 15 or more characters.*

2. Not a password that appears in a breach list.

How do you know if your password is not on a breach list? That's easy.

Password breach list

The website, https://haveibeenpwned.com lets you enter a password to see if it has appeared in any password breaches. Experts will tell you to never test your password on some webpage. It is true that the owner could collect anything you enter. However, Have I Been Pwned has a long, solid reputation. In any event, the chances are negligible that your three-word password created from random words is already on a breach list.

Three-Word Password Generators

xkpassword will generate three-word passwords with many optional variations to make them (unnecessarily) stronger. Here are examples it just created:

• WorkersSeedsSettled

• FatherPlanExactly

• NeedleAdvanceFraction

• DecidedCityWomen

• StartIndustryForever

• MontanaGrewFactories

You don't need to use the uppercase letters. They make it easier to read but fussier to type, especially on a phone.

The generator I use is built into BitWarden, my password manager.

Next Steps

At a minimum, inspect your most important passwords and replace them. Any password that uses a single dictionary word plus a number or punctuation needs to go. That is true even if you use "clever" letter substitutions like H0rs3s!

Better yet, download a free password manager such as BitWarden and spend a little time moving all your passwords into it, changing the ones that don't yet follow the two new rules.

* The actual NIST standard is "a minimum of 8 characters" and should require "a minimum of 15 characters." I have used 15 because 8 is just too short these days!