Chances are you’ve never heard of the National Institute of Standards and Technology (NIST) Special Publication 800-63, Appendix A. But you’ve been using its contents from your first online account and password until today. That’s because, within it, you’ll find the first password rules such as requiring a combination of a lowercase and uppercase letter, a number, and a special character — and the recommendation of changing your password every 90 days.

There’s only one problem. Bill Burr, who originally set up these rules, thinks he blew it. “Much of what I did I now regret,” Burr told the The Wall Street Journal a few years ago.

Why? Because most people can’t be bothered to make significant changes when it’s time to update the password. For example, instead of “Abcdef1?” we change it to “Abcdef1!” then “Abcdef.” and so on and so on.

Because we hate these rules, we end up using totally lame passwords like “123456” and “password” instead. Any ordinary cracking program will take less than a second to break any of these. You might as well not use a password at all.

And, if you do it “right,” you end up with passwords that are fiendishly hard to remember. I can remember semi-arbitrary strings such as xkcd936!EMC2; most people can’t.

Instead, both the NIST and cartoonist Randall Munroe have a better idea: Use passphrases instead of passwords. A passphrase, such as “ILoveUNCbasketballin2021!” is both easy to remember, and even though it contains real words, it’s relatively hard to crack.

Copyright © 2021 IDG Communications, Inc.