Fraud Education and Prevention Articles

The New (Easier) Rules of Strong Passwords

Apr 21, 2025

Passwords have been causing headaches for device users since 1962, when an MIT Ph.D. candidate printed out a list of passwords for the university's shared computer console. He just wanted to steal some more time on the device for his research. But the result was the world's first recorded password-based data breach.1

It's no wonder many internet users feel like they've been hearing about how to create strong passwords since the dawn of time. But just like the technology passwords protect, the best practices for creating an effective one have evolved over time — just think of the five- to six-letter passwords, like 123456, password and qwerty, which were common in the 1990s.

Today, we have multifactor authentication (MFA) guarding our financial accounts, fingerprints opening our devices and password managers remembering our passwords for us. While password strength remains just as important as always — you don't stop wearing your seatbelt because your car has airbags, after all — many guidelines about how to create, maintain and protect those passwords have changed. In fact, in August 2024, the National Institute of Standards and Technology (NIST) published updated password guidelines with some surprising new tips.2


New Password Guidelines for Today's Internet

While many of NIST's guidelines are targeted toward organizations that set password requirements, the new insights can help all users shore up their password hygiene. An overarching theme is, perhaps surprisingly, user-friendliness. NIST research has found that overly onerous security protocols cause "security fatigue," which makes users less careful about security measures.3


Length Is More Important Than Complexity

Checking a website's requirements for how many uppercase, lowercase and special characters to use is par for the course these days. But NIST emphasizes length over a jumbled mess of unreadable characters, as "analyses of breached password databases reveal that the benefit of such rules is less significant than initially thought."1

The agency recommends organizations allow up to a whopping 64 characters, including spaces. An entire phrase or sentence, say, "the agency recommends organizations allow up to 64 characters," may actually be a stronger password than "DK#%*nd32js0*#.GgT." Not only do longer passwords take more time to hack but, also, the user can more easily remember a legible phrase than a string of gobbledygook.


Don't Change a Strong Password — Unless There's a Breach

Years of workplaces and other organizations prompting users to update their passwords every few months have drilled "change your passwords regularly" into our heads. But why? If you have a strong password that you can remember and there hasn't been a breach, NIST suggests that sticking with that password is better than the security fatigue of updating and re-memorizing dozens of passwords periodically.

Safe icon
NIST research has found that overly onerous security protocols cause "security fatigue," which makes users less careful about security measures.

The exception, of course, is if there has been a breach. All 50 states have laws requiring organizations to notify consumers of data breaches involving their personal information.4 If you receive such a notification, of course, change your password. Otherwise, you can drop the habit of regular updates.


Avoid Using Password Hints and Security Questions

It's unclear why it ever seemed like entering our mother's maiden name or the model of our first car — information that is likely accessible through public records, if not volunteered on our social media feeds — was a good way to add security to our online accounts. And at the risk of stating the obvious, using the option to reveal a "password hint" acts as a hint for hackers just as well as it does for you. NIST's guideline makes it clear that organizations should not even be offering these options to users. As a user, it's best to avoid using them. 


Never Reuse or Modify a Password

A study of 61.5 million passwords from 28.8 million users over eight years found that 52% of users reused passwords or used modified passwords.5 Many users even did so after an account sharing the same or similar password had been breached. This presents a security risk, as scammers use breached passwords to hack into users' other accounts — and even 30% of modified passwords could be guessed within 10 tries. 


Use a Password Manager

Even if not having to change your passwords all the time is good news, not being able to reuse or use modified versions of existing passwords could still feel like overwhelming news. Fortunately, NIST endorses the use of password managers, as do many other cybersecurity pros.6

Password managers store your passwords and automatically populate the password field when you visit the page. They can be embedded in your browser, be part of your computer's security software, or live on hardware that you plug into your device. Some also automatically generate strong passwords for each site when you first log in, so you don't have to sweat the rules of creating strong passwords yourself. 

Password managers take the hard work out of remembering or storing your passwords yourself. All you have to do is remember your password manager's password — ensuring it meets the new rules of strong passwords — and you're all set. 

With all the new tricks cybercriminals have up their sleeves, there's no reason to make their lives easier with weak passwords. But there's also no reason to make your own life hard by following outdated, labor-intensive rules like regularly updating dozens of passwords. Thanks to the lessons learned from years of cybercrime research and expert guidance from NIST, users can find the sweet spot between online security and security fatigue and keep their accounts safe.

If you think your online accounts could have been compromised for any reason, follow our tips at What to Do if You Are a Victim of Fraud.

Recent