The Newest Way to Beat the Password Paradox

It’s time to refresh your sense of what makes a password safe. Some of the old standards for passwords are changing, and rules you have been following for years may not be keeping your accounts secure any more. Learn the new password rules now, before the hackers break in.

Do all of your passwords contain special numbers and characters? Do you change them every 90 days? Chances are you’ve been following this password advice for many years—but it may not be keeping your accounts safe anymore.

In 2003, engineer Bill Burr authored what came to be known as the official guidance on password security published by the U.S. National Institute of Standards and Technology (NIST). In it, he suggested that users strengthen passwords by incorporating uppercase letters, numbers, and characters. Burr also recommended changing passwords frequently.

Quickly, Burr’s recommendations became the gold standard on password security. But now Bill Burr regrets the password advice in his original guide. In a recent interview with the Wall Street Journal, Burr acknowledged that his suggestions may actually have led people to use less secure passwords.

Asking people to change a password every 90 days typically results in users making a minor change, such as adding a number to the end of the existing password. That change does little to increase password security. And all the characters, numbers, uppercase letters and lowercase letters make it harder for people to remember their passwords without offering much increase in security value. Once masses of people adopted this trend, the hackers caught on and they can now break these types of passwords in a couple of days.

So what can you do to create hard-to-hack but easy-to-remember passwords?


As we mention in Hack-Proof Your Life Now!, Security experts and the NIST now say stringing five random words together is the best method for password creation. Believe it or not, the password “Twins July Motor Buckle Add” would most likely take longer to hack compared to the password “C0mpu+3r45.”

Why? For one, five-word passwords tend to be longer than our old passwords. Also, choosing five words tends to create more random passwords, which add security. Password strength is determined by a factor called entropy—the amount of randomness or uncertainty your password contains.

But to truly create a strong five-word password, you shouldn’t choose the words yourself. Studies have shown that even when we think we are choosing random words, we are strongly influenced by how often that word occurs in regular conversation, as well as grammatical rules.

Security experts recommend the Diceware method to create your strong passwords.

Here, you roll a die five times to create a random number. For example, say you roll a 2, 6, 3, 1, 1. Then you do that five more times so you have five five-digit numbers, such as:






Then use the 7,776-word Diceware list to match each 5-digit number to the corresponding word on the list. Using the numbers above, your password would be Frame Booth Orr Assort Cutlet—and leaving those spaces increases security.

Now you may be thinking, “I won’t remember a bunch of random words strung together—especially for multiple passwords!” It’s nearly impossible to remember unique passwords for the ever-growing number of online accounts we accumulate.


That’s why you must also use a password manager. A password manager is a digital device that stores all of your username and passwords in an encrypted file on your computer and/or in “the cloud.” Your passwords are protected by one master password—the only one you need to remember.

Once you are signed into your manager with your master password, the program will autofill the username and password fields for any known website. If you visit a new site that is not yet stored, you can easily save your login credentials to your password vault. You can also easily update passwords in the manager so you can update all of your passwords usingthe Diceware method.

Some people may question the security of password managers, but those fears are unfounded. Password managers use strong encryption to secure your password files. Your passwords are so secure that if you forget your master password, not even the company can retrieve your passwords. Password managers typically cost $10-$30 annually and most allow you to access your manager and sync your passwords across your various devices, including your smartphone and tablet. Free versions exist, but typically those only work for one device and have limited features. There are many password managers to choose from and it’s best todo some research to see which program best fits your needs. Some options you may consider are Dashlane, LastPass,1Password, and KeePass.


The combination of the Diceware method and a password manager will significantly boost your account security across the Internet. Your multi-word passphrases would take millions of years for hackers to guess. And adding a password manager takes away the issue of having to remember these long passwords for your hundreds of accounts. Instead, enter your new passwords and protect them with one strong password—the only one you have to commit to memory.

© 2017 Horsesmouth, LLC. All Rights Reserved.

Dana CaroComment