Pagoda Blog

New Password Guidelines Call for Simple, Memorable Phrases

September 21, 2017

According to the National Institute of Standards and Technology, their official guidelines for creating secure passwords were, in a word, wrong. All those random numbers, letters, and characters are not so hard to crack after all. In an interview with The Wall Street Journal, former National Institute of Standards and Technology manager Bill Burr admitted, “Much of what I did I now regret.”


When Burr wrote the complicated guidelines that should have resulted in the creation of secure passwords, he didn’t take into account one thing: human nature. We humans tend to look for the path of least resistance. We look for shortcuts, so even though we were technically following Burr’s carefully crafted rules, most of us used the same techniques to create our ‘random’ passwords, and hackers figured those techniques out.


For example, the rules told us to use irregular capitalization, special characters, and at least one numeral. While this should create a random password in theory, most of us took these rules and applied it to short English words. When you take a short word, change a few of the letters to characters and then add another character to the end, like an exclamation point, it becomes relatively easy to crack.     


Related post: The Enigma Machine: A Window into the History of Encryption


Instead of creating secure, unique passwords for each of our online accounts, research conducted in 2016 found that millennials had only five distinct passwords for an average of 40 services, and all were registered to a single email account.


"The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users," explains Paul Grassi, senior standards and technology adviser at NIST, in an article for NPR.


So how do you create a password that’s easy for the user and leaves cyber criminals scratching their heads?


Make it memorable

The new guidelines recommend simple, memorable passwords, but they have to be long. Phrases are great and so are typical English words and lowercase letters. These simple guidelines rely on the idea that by encouraging people to use a phrase that’s memorable, they will create longer passwords. Cartoonist Randall Munroe created the popular xkcd comic back in 2011 that clearly illustrates (and mathematically proves) this somewhat counterintuitive approach to passwords.


Leave out the numbers and special characters

It’s no longer required to include numerals, lowercase letters, uppercase letters, and a certain number of special characters in your password. According to data from high traffic sites liked LinkedIn, Yahoo!, and RockYou, most of us follow very predictable patterns when creating our passwords. Here’s a list of common practices from The Telos Corporation that demonstrate why the previous overly complex rules led to weak passwords:

  • Most use lower-case letters
  • 70% use only eight characters
  • A good percentage use simple sequential or patterned numbers of the “123456” variety
  • Many use first names and append a four-digit year to the end
  • A lot use keyboard or keypad patterns of the “qwerty” and “2580” variety
  • Numerous substitute symbols or digits for similar-looking letters (e.g., “$” for “s”, “0” for “o”, “4” for “A”, “3” for “E”)
  • Nearly all capital letters are used at the beginning
  • Almost all digits or symbols are tagged on at the end
  • Some use mirror words (appending the same word typed backwards after the initial word).


Don’t bother changing it

The old guidelines recommended changing passwords every few months but research shows that most users simply change one or two characters. Not surprisingly, hackers have figured this out and use this knowledge to predict your new password. If you create a long, hard-to-crack password in the first place, there’s no need to change your password every 90 days, as the old guidelines suggested. 


What about password manager apps?

Password manager apps that generate random passwords are still a secure option but they aren’t absolutely necessary. By following the new guidelines, you can create your own memorable passwords, eliminating the need for software that creates and/or stores them for you. Even if you do still use these apps (which we do recommend if you need to remember multiple passwords), it’s strongly encouraged that your master password is a long, memorable phrase versus a random combination of letters, numbers, and characters. 


Leave random passwords to the robots

The bottom line is that humans have a hard time creating truly random passwords. And we’re terrible at remembering them. The new guidelines fortunately play to our strengths rather than our weaknesses. Here’s a couple tips to keep in mind if you’re going to change your password to a passphrase:


How to create a strong passphrase

1.  Use 15 or more characters

The longer your passphrase, the longer it will take a hacker to crack. Hopefully they won’t ever figure it out!



2.  Make it uniquely personal

When coming up with a long passphrase, it’s important to use something personal so that you can easily remember it. Don’t choose a common phrase, however, that a hacker could easily guess based on your Facebook likes, Google searches, and tweets. For example, if your favorite T.V. movie is Star Wars, the passphrase ‘May the Force be With You’ is about as easy to crack as ‘P@s$w0rd!.’ Try to come up with something that only your would think of, like, ‘R2-D2’s holographic projector.’ You can apply the same concept to your favorite book, song, or animal. Get creative!  


If you have any questions about creating new passwords based on the updated guidelines, please send us an email to or give us a call at 831-419-8000.

Featured image by Blue Coat Photos, CC BY 2.0 via flickr.   


Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and learn how to protect and grow your business with monthly IT tips from our experts. Subscribe today.


Need ongoing IT support for your business? Contact us for a free consultation. We’d love to work with you!



About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.

Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn