What NIST Suggests Instead of Passwords


It's time to switch from passwords to passphrases, according to the National Institute of Standards and Technology.

In the wake of numerous high-profile hacks, the government agency recently released a guide to creating much stronger passwords. Their main advice? Just one word won't cut it anymore. Instead, a lengthy phrase or sentence is much more likely to stop a hacker in their tracks.

When users are limited to a certain amount of characters, but are saddled with a lot of requirements to include unusual characters, we get passwords that are hard to remember, but easy to hack. 

And when each account is calling for these difficult to remember passwords, tech users are more likely to become lazy and reuse passwords, which is one of the worst things you can do when it comes to personal security.

Randall Munroe, xkcd.com, CC 2.5

So instead, users should create a passphrase. To do that, users should tap into what the human memory is already skilled at, remembering things by association. But these passphrases should not be easy to guess through social engineering or easy web sleuthing, so don't use the names of your three kids strung together. 

"Instead, passphrases should be words that can go together in your head, but no one else would ever suspect," said Mike Garcia, director of NIST's Trusted Identities Group. "An example from my kitchen: 'blender vent sauté pendant red chair.' These words all make sense, and they aren't even all things. Verbs work just as well."

A passphrase alone won't suffice, however. They're much harder to crack, but still not impenetrable. Users should use two-factor authentication wherever possible, but should especially utilize it for email accounts and any banking or financial accounts.