Turns out everything we know about what makes a strong password is wrong.
Rather, most of the standards we use to determine the strength of a password are wrong, according to Bill Burr, the man responsible for originally publishing the standards. Burr, a former employee of the National Institute of Standards and Technology (NIST) said that many of the password rules he came up with were not actually that helpful. For example, the requirement of using a letter, a number, an uppercase, and a special character is not useful, and neither is the recommendation of changing your password every 90 days.
So what is taking the place of those oddly charactered passwords? The recommendation of the NIST is “Long easy-to-remember phrases”. A password that contains four random words, strung together without spaces, would be easier to remember and harder to crack than a single word with some letters replaced with numbers, for example. Additionally, it is also now recommended that users only change their password if a breach has been suspected or confirmed.
Businesses should heed the new standards, using them to inform their corporate password policies. This is especially critical, given that nearly 20% of passwords used by business professionals for corporate accounts are “easily compromised,” according to a report from security firm Preempt.
From techrepublic.com with changes.