Passwords need Caps, Special Characters, and Numbers. Wrong! According to NIST these are the strongest (and easiest to recall) passwords.

Everything We’ve Been Told About Passwords Is Wrong (According To The Person Who First Told Us)

Passwords need Caps, Special Characters, and Numbers. Wrong! According to NIST these are the strongest (and easiest to recall) passwords.

Staff Writer

There are times when you just know something is not right, but convincing the rest of the world can take some time. For example, the innovation–ahem, insanity–that has become the norm for password conventions.

I’ve often wondered if the people who come up with the ridiculous lists of password requirements are trying to exact vengeance on the world for some horrible childhood trauma they suffered.

Here’s a magnificent example of one of those lists, taken directly off of the Attorney General of Texas Child Support site (No, I’m not paying child support in Texas.)

1. The password must be exactly 8 characters long.

2. It must contain at least one letter, one number, and one of the following special characters.

3. The only special characters allowed are: @ # $

4. A special character must not be located in the first or last position.

5. Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed. Example: rr, tt

6. Avoid using names, such as your name, user ID, or the name of your company or employer.

7. Other words that cannot be used are Texas, child, and the months of the year.

8. A new password cannot be too similar to the previous password.

9. Example: previous password – abc#1234; unacceptable new password – acb$1243

10. Characters in the first, second, and third positions cannot be identical. (abc*****)

11. Characters in the second, third, and fourth positions cannot be identical. (*bc#****)

12. Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234)

13. The previous 8 passwords cannot be reused.

For those of you who, like me, have been driven b*t$h1t crazy by password requirements, such as these, I’ve got great news. You’ve been vindicated! According to an article in the Wall Street Journal Bill Burr at the National Institute of Standards, who in 2003 originally made the recommendation on which much of this is based, told the Journal, “Much of what I did I now regret.”

After years of cursing at the cyber lords it would be nice to have someone to blame. However, it really wasn’t Burr’s fault. According to how Burr recounts it in the article, at the time there wasn’t much, if anything, for him to go on. In fact the computer administrators at NIST pretty much shut him down cold when he asked to see their passwords so he could get some idea of what they were using.

Without any data about the current state of affairs Burr turned to a 1980 (yes, that’s not only pre Internet but pre-PC) white paper which he used to come up with his recommendations.

Burr’s suggested password requirements, which included the use of capitals, numbers, and special characters, soon found their way into every nook and cranny of the Internet. And you and I have since cursed the insanity of it all on a daily basis.

NIST has rewritten the recommendations with a startling and very human-centric finding; the best password is a long memorable phrase of three words or more. For example, “puppies running on the beach.” Now, seriously, how could you ever forget that?

As it turns out, according to a a comic referenced in the article, a 44 letter lower case phrase of four words takes five millennia to crack versus only three days for a 28 character random string of letters, numbers, and special characters–never mind that you need a photographic memory to remember the latter.

Oh, and there’s one more thing; you know that requirement to change your password every 30/60/90 days? Yup, it’s wrong too.

So, to all of you who knew in your gut that there had to be a better way, you were right.

Like this column? Sign up to subscribe to email alerts and you’ll never miss a post.
The opinions expressed here by columnists are their own, not those of

Read Next


How To Turn Data Into Actionable Strategies

So your organization has a big vision and uses that vision as the North Star for guiding strategic decisions. But when you're only deploying against vision with no data to back it up,... (contd.)

7 Crucial Things to Know About Bill Gates, Future Presidential Candidate

Another day, and still more evidence that Bill Gates is going to run for president.The latest proof: His recent media tour, including stops on ABC's Good Morning America, CNN, The Ellen DeGeneres Show,... (contd.)

15 Life Lessons I Learned by 50 (That I Wouldn’t Have Believed in My 20s)

What do 50-year-olds know that 20-year-olds often don't? originally appeared on Quora - the place to gain and share knowledge, empowering people to learn from others and better understand the world.Answer by Phyl Bean, Attorney at Phyl Bean... (contd.)

5 Tips for Being a Disciplined Investor

When it comes to building wealth, the average person has two options: earning income or investing. Most people require both a stable income and consistent investing to truly amass wealth over their... (contd.)

6 Keys to Attracting and Nurturing Breakthrough Innovators on Your Own Team

Breakthrough innovation is the dream of every entrepreneur, but it's still a scarce commodity. Selecting and nurturing people who are likely to help you in this regard is an even more elusive capability, and... (contd.)
- Advertisement -
Join Our Daily Newsletter
Sign up to get all the business news and intelligence that matters straight to your mailbox.
Join Our Newsletter !
Like This Article? Subscribe To Our Newsletter To Receive More Of Them Straight In Your Inbox
Contact Us.
Your Name
Thank you for your interest in Inc. Arabia. Please leave your contact details below, and we'll be in touch with you very soon.
Like This Article? Subscribe To Our Newsletter To Receive More Of Them Straight In Your Inbox