In the ever changing world of technology, it appears that the US National Institute of Standards and Technology (NIST) is now recommending that passwords be changed to a long phrase instead of the previous recommendation to use passwords with random characters. Here is what they are saying:
A passphrase is similar to a password, but is generally longer for added security. For example, a passphrase made up of four simple words like “correcthorsebatterystaple” would take a computer 550 years to guess, while a nonsenscal string of random characters would take only three days. A brute-force attack can easily defeat a short password.
NIST guidelines no longer suggest passwords be frequently changed, because most people only make small alterations to their existing passwords, which are relatively easy for a hacker to figure out. In addition, the more frequently you ask someone to change their password, the weaker the passwords they tend to choose.
Here are some additional “dos” and “don’ts” that can help you choose passwords that maintain the security of your personal data.
Don’t “recycle” a password. Password-protected sites are often vulnerable because people often use the same passwords on numerous sites. If your password is breached, your other accounts could be put at risk if you use the same passwords.
Don’t use personal information (your name, birthday, Social Security number, pet’s name, etc.), common sequences, such as numbers or letters in sequential order or repetitive numbers or letters, dictionary words, or “popular” passwords.
Do change your password if you believe that your password has been stolen or breached.
Don’t share your passwords with others. One study found that more than one-third (36%) of people who share passwords in the United States have shared the password to their banking account.
Do enable two-factor authentication (when available) for your online accounts. Typically, you will enter your password and then a code will be sent to your phone. You will need to enter the code in addition to your password before you can access the account. Twofactorauth.org has an extensive list of sites and information about whether and how they support two-factor authentication.
Do be cautious when you choose the site security questions and answers that will be used to authenticate you if you forget your password. Be sure that you don’t pick a question which can be answered by others. Many times, answers to these questions (such as a pet’s name or where you went to high school) can be ascertained by others through social networking or other simple research tools.