The latest Ponderings from Paducah is from Chief Technology Director Eric Stuber who provides an easy way to build and remember a strong password that would take a hacker many lifetimes to guess.
Ponderings from Paducah - An Easy Way to Build and Remember a Strong Password
Recent guidance from the National Institute of Standards and Technology (NIST) suggests prioritizing password length over complexity.
Making password requirements more complex causes problems for users since they are difficult to remember. This leads to users setting passwords that are often weaker, predictable, written down, and/or stored in an unsecure manner. For example, “Fall2025!” meets common complexity requirements (uppercase, lowercase, number, and special character) but is very easy to guess.
The recommendation now is to create passwords with 12 or more characters with some organizations like NIST and the Cybersecurity and Infrastructure Security Agency (CISA) suggesting 16 or more characters.
Length is important because each additional character exponentially increases the number of possible combinations a hacker (or hacker’s program) needs to try. An 8-character password that contains an upper case, lower case, number, and special character has approximately 2.8 quadrillion (2.8e+15) possible combinations but only takes a computer program 5 minutes to iterate or run through all of those possible combinations. For comparison, a 12-character password would take 226 years to iterate - and a 16-character password? 5 BILLION years!
How many approximate combinations for a password that is 16 characters long? 3.3e+23! That’s 330,000,000,000,000,000,000,000.
With this new guidance, how can you remember a password 12 to 16 characters long AND meet complexity requirements still required by some computer systems? The answer is to enter passphrases. A passphrase is a sequence of multiple words or even a full sentence. They are easier for users to remember.
Think of the easy-to-remember sentence, “Three monkeys are looking up.” You can turn this into a complex passphrase by changing some of the words to letters and special characters into “3MonkeysRLooking^” This is a 16+ character password with uppercase, lowercase, numbers, and a special character that is easy to remember.
I like to create situational passphrases as well. For example, you may have a photo from a hiking trip on your desk. List key things from the photo that are important to you such as “TreeCabinBlueShirtCreek.” To make it complex, separate the words with a hyphen or special characters (ex. “Tree-Cabin-Blue-Shirt-Creek”).
Remember length is better than complexity. You are trying to generate a password that is easy for YOU to remember but not easily guessed by someone else or a hacker’s computer program.
Don’t overthink it!
(written by Chief Technology Director Eric Stuber)
