Passwords need Caps, Special Characters, and Numbers. Wrong! According to NIST these are the strongest (and easiest to recall) passwords.

Everything We’ve Been Told About Passwords Is Wrong (According To The Person Who First Told Us)

Passwords need Caps, Special Characters, and Numbers. Wrong! According to NIST these are the strongest (and easiest to recall) passwords.

Staff Writer

There are times when you just know something is not right, but convincing the rest of the world can take some time. For example, the innovation–ahem, insanity–that has become the norm for password conventions.

I’ve often wondered if the people who come up with the ridiculous lists of password requirements are trying to exact vengeance on the world for some horrible childhood trauma they suffered.

Here’s a magnificent example of one of those lists, taken directly off of the Attorney General of Texas Child Support site (No, I’m not paying child support in Texas.)

1. The password must be exactly 8 characters long.

2. It must contain at least one letter, one number, and one of the following special characters.

3. The only special characters allowed are: @ # $

4. A special character must not be located in the first or last position.

5. Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed. Example: rr, tt

6. Avoid using names, such as your name, user ID, or the name of your company or employer.

7. Other words that cannot be used are Texas, child, and the months of the year.

8. A new password cannot be too similar to the previous password.

9. Example: previous password – abc#1234; unacceptable new password – acb$1243

10. Characters in the first, second, and third positions cannot be identical. (abc*****)

11. Characters in the second, third, and fourth positions cannot be identical. (*bc#****)

12. Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234)

13. The previous 8 passwords cannot be reused.

For those of you who, like me, have been driven b*t$h1t crazy by password requirements, such as these, I’ve got great news. You’ve been vindicated! According to an article in the Wall Street Journal Bill Burr at the National Institute of Standards, who in 2003 originally made the recommendation on which much of this is based, told the Journal, “Much of what I did I now regret.”

After years of cursing at the cyber lords it would be nice to have someone to blame. However, it really wasn’t Burr’s fault. According to how Burr recounts it in the article, at the time there wasn’t much, if anything, for him to go on. In fact the computer administrators at NIST pretty much shut him down cold when he asked to see their passwords so he could get some idea of what they were using.

Without any data about the current state of affairs Burr turned to a 1980 (yes, that’s not only pre Internet but pre-PC) white paper which he used to come up with his recommendations.

Burr’s suggested password requirements, which included the use of capitals, numbers, and special characters, soon found their way into every nook and cranny of the Internet. And you and I have since cursed the insanity of it all on a daily basis.

NIST has rewritten the recommendations with a startling and very human-centric finding; the best password is a long memorable phrase of three words or more. For example, “puppies running on the beach.” Now, seriously, how could you ever forget that?

As it turns out, according to a a comic referenced in the article, a 44 letter lower case phrase of four words takes five millennia to crack versus only three days for a 28 character random string of letters, numbers, and special characters–never mind that you need a photographic memory to remember the latter.

Oh, and there’s one more thing; you know that requirement to change your password every 30/60/90 days? Yup, it’s wrong too.

So, to all of you who knew in your gut that there had to be a better way, you were right.

Like this column? Sign up to subscribe to email alerts and you’ll never miss a post.
The opinions expressed here by columnists are their own, not those of

Read Next


Google Wanted to Know What What Makes a Manager Great, so It Conducted a Study. Here Are the Results

20 years ago, you probably would've laughed if someone said your life would one day be irrevocably changed by a company called Google. What's a google?But, as you know, Google's become the largest entity in one of... (contd.)

Your Guide to Innovating Like Amazon: Focus on Inspiring People

Innovation is imperative for long-term success, but most companies struggle to maintain an innovative approach over the long haul.Innovation ultimately is driven by the individual people inside the organization, and it requires personal investment. If... (contd.)

How to Hook Your Audience Within the First 60 Seconds

How you open and close your presentation decides everything.Nothing matters more for effectiveness.The internet is full of great ideas for how to open and how to close speeches. You'll be ahead of most speakers if you... (contd.)

Why Investing in Gender Equality is Crucial for Your Business’s Future

We just saw another International Women's Day come and go, and the interest in this 100-year-old holiday is greater than ever. For proof, just look to Google's Think with Google blog. According to Google's... (contd.)

3 Valuable Business Lessons You Can Learn From a Bicycle

I actually cannot recall where I first heard this, but it was many years ago, and it has stuck with me ever since. The story was that a student came to school on his... (contd.)
- Advertisement -
Join Our Daily Newsletter
Sign up to get all the business news and intelligence that matters straight to your mailbox.
Join Our Newsletter !
Like This Article? Subscribe To Our Newsletter To Receive More Of Them Straight In Your Inbox
Contact Us.
Your Name
Thank you for your interest in Inc. Arabia. Please leave your contact details below, and we'll be in touch with you very soon.
Like This Article? Subscribe To Our Newsletter To Receive More Of Them Straight In Your Inbox