A security analyst working for the National Institute of Standards and Technology (NIST) provided guidance back in 2003 that was used as the basis for a lot of security policies. His guidance was that passwords should be complex (special characters, numbers, mix of upper/lower case, etc.) and changed frequently … you know, that thing people have been telling you to do for years now.
Turns out he was wrong.
He had no empirical data at the time to support that guidance. Now, almost 15 years later, the empirical data is showing that long passwords and phrases that are easy to remember are better. New guidance is also suggesting that you only change passwords if there is evidence that they’ve been compromised.
If you’ve ever spoken to me about passwords, I’ve always suggested a mixture of the two schools of thought. I use a quote or phrase to create a complex password (at least 12 characters long). I change that password once per year (or more frequently if there is evidence of compromise). For about 90% of the sites I use, I don’t even know the password because I use a password manager (LastPass is my choice) and Multifactor authentication for ALL THE THINGS (Authy is my choice).
I’ll write up some details on how I do things … but for now I just wanted to pass along this little tidbit of information about the new guidance from NIST.