Why your passwords may not need to be so complicated

How many of your online passwords include uppercase and lowercase letters, numbers, and special characters? It’s probably because of a document from 2003 that you’ve never heard of.

The author of the U.S. Department of Commerce National Institute of Standards and Technology’s NIST Special Publication 800-63. Appendix A tells The Wall Street Journal he made a mistake 14 years ago when he recommended a secure password include a complex formula and get updated often.

The 2017 version of that NIST publication explains that password complexity not only makes it harder for people to memorize their passwords but also wasn’t necessarily making them more secure. In addition, it says that passwords only need to be updated when there’s been a breach, like when you hear hackers hit your bank or favorite online shop.

What makes a password more secure?

Forget capitalization, numbers, and characters. Use a long string of random words you can remember. The updated NIST publication says password length is usually the main factor for password strength, because short passwords are more susceptible to being cracked. So, applepoetrysaute is stronger than P@ssw0rd1!–and surprisingly easier to remember.

About Texas Association of REALTORS®

The voice for Texas real estate
This entry was posted in Business tips and tagged , , , . Bookmark the permalink.

7 Responses to Why your passwords may not need to be so complicated

  1. Karl Kluthe says:



  2. Al Cannistra says:

    Yeap – with a twist… have multiple passwords – never the same one every where. Figure out a way to use slight variations to make it easy on yourself. Someone I know has been using the same passwords since the 90’s.


  3. Rick DeVoss says:

    Why doesn’t someone send this message to the Board of Realtors who seem to be so worried about MLS passwords…? ~I’d be willing to bet that changing my password every few months has never kept anyone from getting into the system if they wanted to. It is simply a burden for agents, the majority of whom are senior citizens and can’t remember what we had for dinner last night, let alone a new password.


  4. Pat Wimberly says:

    How I wish more IT professionals, and even formal security audits, realized this! PurpleMonkeyDishwasher (example only) is far more secure, and easier for me to remember, than Password1, Qwerty1, Kid’s / Spouse’s / Pet’s name1 (all numerically incremented with each predictably timed and required Password change).

    These examples are from the standard list of overused passwords that is published every year, yet many people still use these due to business requirements and IT policies, wwhich should no longer be applicable in modern use. Often policies change more slowly than Technology. My hope is that more IT staff members around the country are paying attention to this and will push the change, as best possible, to make life easier on all and more secure.

    Alternately, a good strong Password Manager program (ex. Dashlane / LastPass / etc. ) can often make life easier and secure when an organization’s policies require the more convoluted approach due to specialized business requirements. If you are stuck in this situation, give one of the secure password manager programs a try. They can make life easier.


  5. Soapy Sudbury says:

    Unfortunately, certain websites require you to use lower case, upper case, numbers and symbols, so you have to use what they want, rather than what you can remember. I try to use one long nonsensical password for all my financial accounts and another for sites that are not financial in nature, but this is not acceptable to different websites. As a result, I have to change passwords often as I cannot remember what that particular site requires. Some sites even limit passwords to 12 characters. I don’t like storing all my passwords either to a site or in a manual notebook. Can’t win for losing. As a result, on infrequently visited websites, I try once, then request a new password to see what their site requires and then I can remember what I used before without having to actually change passwords.


    • Rick DeVoss says:

      On many sites, when you say you can’t remember your password, they automatically force you to change it and create a new one. ~Now you have another password that you can’t remember!
      All I wanted to do was to retrieve the old password, and continue using it. Obviously, I am the only one who “forgot” it, so I should be allowed to continue using it if I choose to.
      But this blog will have no effect on what other web sites do with their passwords. The message needs to go to the Boards of Realtors in the state, and tell the MLS director to stop forcing us to change the password every few months. ~If the system is not broke, stop trying to “fix” it.
      I dislike having to “write down” my passwords, and don’t trust entering them into the computer. I mean, if some geek can hack into my password in the first place, then he sure as heck is smart enough to know how to hack into my computer and get ALL of my passwords!
      A reminder: We all take it for granted that using “passwords” is no big deal, and they have become a part of our lives. Maybe it won’t matter for some accounts and some web sites, but have you thought of what your surviving partner or spouse will do after you die? ~If you have not left them your passwords, they will have no way of getting into your email accounts, bank accounts, or other information that may be important. Assuming you want someone to have access to things after you’ve passed on, it might be a good idea to leave some notes in a safe deposit box with final instructions in it.


  6. Per my Tech Coach: “this is a relevant topic, but needs to be considered in context. Passwords can’t be too long. A lot of websites only allow passwords to a certain size and criteria i.e. capital letters, numbers, etc. Most haven’t changed to the new criteria yet.

    Keeping the format you have for the time being is still your best bet. There are a lot of other things which go into why keeping the format you have now is best.”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s