Do all your passwords L00k sOm3th!ng l!Ke th!$? Great! No one will ever figure them out, right?
Negative. Turns out, everything that you — and every website out there — has believed about creating a strong password is wrong. Those common rules you've been following (mixing capital letters and numbers, incorporating special characters, changing your password every 90 days) doesn't do much to keep out hackers, according to the man who wrote those exact rules you've been following.
The story starts back in 2003 when Bill Burr, who worked at the National Institute of Standards and Technology (NIST), was tasked with coming up with guidelines for creating a password. The problem was that he didn't have much data to go off of, so, under deadline pressure, he based his recommendations on older published rules that didn't take into account newer technology. "Much of what I did I now regret," Burr told the Wall Street Journal in 2017.
Not exactly comforting words — and they probably make you feel a little like you did when you learned the Tooth Fairy wasn't real. The main problem is that incorporating things like special characters aren't that hard for hackers to figure out. Plus, because weird-looking passwords are harder to remember, people often don't do much to alter them when it's time to create a new one — for example, just changing a 1 to a 2. Hackers are basically, like, duh.
The good news is that NIST is working on revising those standards, and their new golden rule is much easier to follow. Their advice? String together a long but easy-to-recall phrase (say, four words or more) that only you would remember. This is actually harder for hackers to crack than a shorter password that follows the old rules, according to the Journal. And don't feel the need to change your password unless you suspect your accounts are being tampered with.
This will come as a relief to those of us who always lock ourselves out of our accounts because we can't remember where we put the exclamation point (which we only did because a website was screaming at us that our password was "too weak!").
Now excuse me while I go update all my pa$$words ...