You've been using passwords wrong! Security experts issue new guidelines that go against everything you know
GETTY IMAGES
All products and promotions are independently selected by our experts. To help us provide free impartial advice, we will earn an affiliate commission if you buy something. Click here to learn more
You don't need to worry about memorising a random jumble of letters, numbers, and symbols
Chances are, even if you rely on 'password123' to login to your online account, you probably know that best practice says you should use a complex password that mixes letters and numbers and is regularly changed.
Except that, it turns out that might not be the best way to keep your digital data under lock and key.
That's according to new guideance issued by the National Institute of Standards and Technology (NIST) — a government agency that sits under the umbrella of the United States Department of Commerce — that marks a significant shake-up to cybersecurity advice.
With NordPass, you'll be able to generate long and unique passwords for every online account that will be encrypted and stored in your own personal digital vault. NordPass, from the team behind the award-winning NordVPN, has apps for dozens of devices, from iPhone to Android, Windows to Mac. It will even warn you when a service you use has been compromised in a hack
The new recommendations for US citizens, published last month, suggests moving away from complex passwords and frequent changes towards longer, simpler passwords that stay-in-place for longer.
Of course, the NIST has no direct authority in the UK, but its guidelines are widely respected and are extremely likely to influence password policies globally. This change reflects a growing consensus among security experts that traditional password practices may be counterproductive to online safety.
For years, cybersecurity experts advocated for complex passwords combining upper and lowercase letters, numbers, and symbols as these were believed to be more secure against hacking attempts.
However, the latest guidelines from the NIST challenge this approach and claims longer passwords are more effective than complex ones. This shift comes as multiple studies revealed users often struggle to remember intricate passwords, leading to poor security habits like reusing passwords across multiple sites, relying on easily guessable patterns, or worst of all, writing down their passwords.
Angela Sasse, from University College London, told The Times: "I hope this will be a tipping point. There’s been this idea in the security community that if we make something easier, it makes it less secure."
The latest guidance from the National Institute of Standards and Technology is in direct conflict with many common-held assumptions about passwords
GETTY IMAGESNIST now advises against forcing periodic password changes even few months — another common cybersecurity practice, especially within large corporations. Once believed to be essential to maintain strong security practices, this usually results in employees picking weaker and weaker passwords each time.
"You can’t ignore actual human capabilities,” she adds. "When you use a password, it’s embedded in your memory. After you change it, your memory struggles — the old one is still embedded. It has been demonstrated with large scale databases that the more often passwords expire, the weaker they get."
NIST now recommends allowing users to create passwords up to 64 characters in length. A 64-character password using only lowercase letters would be extremely difficult to crack, whilst including capitals and symbols would make it nearly mathematically impossible.
Critically — these lengthy passwords do not need to be a random jumble of characters, but can be passphrases, poems, or song lyrics so they're easier to recall, reducing the likelihood of insecure practices, like writing passwords down.
Password managers are likely to play a crucial role in implementing these new security recommendations for most people. For those unfamiliar, this applications offer a secure vault to create store unique, lengthy passwords for every online account — without the burden of memorisation. You only need to recall a single password (to unlock the vault itself) and then everything else is auto-filled on your device with a tap.
Many of these services, like 1Password, Dashlane, and NordPass, to name just a few, can use the biometric security features on your smartphone, tablet, or laptop — like fingerprint or facial recognition — to unlock the vault too.
Apple has launched its own standalone password manager app across iPhone, iPad and Mac with its latest free software update.
Despite the push for stronger passwords, many users still rely on easily guessable combinations. According to NordPass, the most common password of 2023 was "123456", used over 4.5 million times. Other weak passwords in the top 10 included "admin", "12345678", and "password".
Ethical hacker Joe Cockroft warns against using identifiable information like favourite football teams or family names in passwords since these details can all be easily guessed from social media profiles.
As we transition away from traditional passwords, password managers will continue to play a vital role in online security since these tools not only generate and store complex passwords but also facilitate newer authentication methods, like passkeys.
Passwords is a newly designed app for iPhone, iPad, and Mac created by the teams at Apple to manage, generate and store passwords for every website, subscription or app you use. Everything will be accessible across devices and encrypted before it's stored as part of an iCloud plan
APPLE PRESS OFFICE | GBNPasskeys, considered a promising alternative to passwords, are gaining trust among individuals and companies worldwide. Unlike passwords, passkeys are resistant to phishing attacks, making them more secure than one-time codes sent via SMS.
LATEST DEVELOPMENTS
Major tech companies like Microsoft, Google, and Apple are working together to bring passkeys to the web as an industry standard, signalling a potential future beyond passwords. Elon Musk recently talked about the promise of passkey and enabled this security system across X, formerly Twitter.
The landscape of password security is evolving rapidly. Whilst complex passwords were once the gold standard, experts now recommend longer, simpler passphrases and downloading a password manager, or using a preinstalled tool like the Passwords app on Apple devices or the Password Manager baked into Google Chrome, is important to implement the latest practices.