The Evolution of Password Advice

• As technology changes and identity criminals adapt their methods, best practices, including password advice, change.
• While short passwords with random letters and symbols were once considered a best practice, the Identity Theft Resource Center (ITRC) now recommends unique 12+ character passphrases for all accounts.
• A passphrase should include a phrase unique to you, like a favorite song, cheer or school you attended.
• They are also more secure. According to cybersecurity company Hive Systems, it takes an identity criminal 3K years to crack a 12-character passphrase with numbers, upper and lower case letters, and symbols.
• It is still important to enable multi-factor authentication (MFA) with an app when possible and avoid any passphrase similarities between work and personal accounts.
• If you have questions or believe you are the victim of an identity crime, contact the ITRC toll-free to speak with an expert advisor by calling 888.400.5530 or visiting idtheftcenter.org to live-chat.

Password security has been a hot topic for a long time. Passwords are the most commonly used tool to keep unauthorized individuals out of accounts and files. However, as technology changes and identity criminals adapt their methods to keep up, what was once considered best practices can change. That is why users need to keep up with the latest password advice. Today’s recommendations may evolve again in the near future, especially with the introduction of passkeys. Staying up-to-date with the latest best practices is critical to keeping your data safe.

New Password Advice

New password advice from top experts in cybersecurity updates how individuals should manage their password practices. For example, the “password” fell out of favor with major corporations, like Microsoft, and law enforcement agencies, like the FBI, years ago. Instead, using the more descriptive and secure “passphrase” is recommended. Also, the once “golden rule” of changing passwords frequently – including routine forced resets – was updated to reflect why this is not necessarily the best security habit.

Use 12+ Character Unique Passphrases

First, a passphrase is a much longer security tool. Studies have found that a password’s “guessability” by hacking software decreases exponentially with every additional character. The six-to-eight characters guideline for passwords has been replaced with the recommendation of a 12+ character passphrase. A passphrase, unlike a single word or acronym, is a combination of words that mean something to you. It should increase the likelihood of creating unique logins for every account you own instead of reusing a single password on multiple accounts, which would put you at risk of a credential stuffing attack.

Examples and Benefits of Strong Passphrases

As mentioned above, a passphrase should be a phrase that is unique to you, making it easier to remember. For example, if you graduated from the University of Texas in 2015, one of your passphrases could be “H00kEmH0rns2015”. Passphrases are also harder for identity criminals to crack. According to cybersecurity company Hive Systems, it would take a criminal 46M years to crack the passphrase “H00kEmH0rns2015” since it is 15 characters and has numbers, as well as upper and lower case letters. Other strong passphrases could include the name of a favorite song, movie quote or book title, such as “2KillaMockingBird”.

You Don’t Have to Change a Passphrase Frequently

Replacing a password or passphrase routinely has also been shown to have a downside and is no longer good password advice. Users forced to change a password or passphrase may only alter one character. For example, passwords such as “doghouse1” become “doghouse2,” which makes it easier to guess. Using the Hive Systems chart mentioned above, it would only take an identity criminal seven hours to crack the passwords “doghouse1” or “doghouse2”.

Passphrases Are Hard to Crack

Passphrases should contain a combination of at least uppercase and lowercase letters. Numbers and symbols will make your passphrase just that much stronger. It is estimated to take a criminal 3K years to crack a 12-character passphrase with numbers, upper and lower case letters, and symbols. For a 16-character passphrase with numbers, upper and lower case letters, and symbols, it is 1B years.

The likelihood of a user establishing and remembering a complex combination for every single account is not very high. However, creating a unique passphrase for every account is both more secure and a more likely practice.

Some Password Advice Has Not Changed

It is still important to create different passphrases for every account and to enable multi-factor authentication (MFA) with an app when possible. It is also essential to avoid using the same or similar passwords for work and personal accounts. Also, never share login credentials with other people.

As with all technology-related practices, the most important thing is to be adaptable and evolve as the ecosystems change to address exploits. Keeping up with security findings and fitting them into daily use is a valuable way to protect your personal information.

Contact the ITRC

To learn more about the evolution of password advice, or if you believe you were the victim of an identity crime, contact the Identity Theft Resource Center. You can speak with an expert advisor toll-free by calling 888.400.5530 or visiting our website to live-chat during our regular business hours (Monday-Friday 6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

This blog was originally published on 5/14/2020 and was updated on 3/17/2023