Everything we know about what makes a strong password is wrong. Rather, most of the standards we use to determine the strength of a password are wrong, according to Bill Burr, the man responsible for originally publishing the standards.

The insights came in a Monday interview with Burr, a former employee of the National Institute of Standards and Technology (NIST), conducted by the Wall Street Journal. Burr said that many of the password rules he came up with weren’t actually that helpful. For example, the requirement of using a letter, a number, an uppercase, and a special character isn’t useful, and neither is the recommendation of changing your password every 90 days.

According to the Wall Street Journal report, Burr was the author of the NIST Special Publication 800-63. Appendix A, which was the initial document to suggest these guidelines. The issue is that the standards he outlined, as noted, weren’t especially helpful.

SEE: How to set up two-factor authentication for your favorite platforms and services (free PDF)

“Much of what I did I now regret,” Burr told the Wall Street Journal.

The reason this is coming to light now, the report noted, is that the document recently got a rewrite this summer, eliminating the special character requirement and 90-day policy.

So, what is taking the place of those oddly-charactered passwords? “Long easy-to-remember phrases,” the report said, at the recommendation of the NIST. A password that contains four random words, strung together without spaces, would be easier to remember and harder to crack than a single word with some letters replaced with numbers, for example.

Additionally, it is also now recommended that users only be required to change their password if a breach has been suspected or confirmed.

Businesses should heed the new standards, using them to inform their corporate password policies. This is especially critical, given that nearly 20% of passwords used by business professionals for corporate accounts are “easily compromised,” according to a report from security firm Preempt.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

What are your thoughts?

What do you think of the new NIST password standards? Are you planning on changing your company password policy? Let us know in the comments or on Twitter.

The 3 big takeaways for TechRepublic readers

  1. Common password rules, like using a special character or changing them every 90 days, are not helpful, the creator of these standards told the Wall Street Journal this week.
  2. Users should build passwords with four random words strung together, instead of a single word with random numbers and characters.
  3. Businesses should use the new NIST standards to inform their corporate password policies and educate their employees.