The current advice? Stringing words together to make something very long is a lot easier to remember — and harder to crack, than Ft5!r@lwv3. And because it's easier to remember, you won't take the same shortcuts in making it, or updating it.
The new guidelines also do away with the change-ever-90-days rule, though that on to my mind has more rationale. People still give away passwords to each other ("Hey, just sign onto my account; it has all the right access"), which means that when someone leaves the company, they theoretically leave with all those passwords. And while 99.9% of folk will never abuse that …
The challenge now is that, even with the change in NIST standards, it will take another several years for websites to change their rules. By which time, the changing computing landscape will lead to some other set of advice.
The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d! – WSJ
Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly. As his advice is overturned, he feels regretful.
To be fair, in 2003 8-digit codes were standard. We've a lot more flexibility nowadays. That does make a difference…
https://xkcd.com/936/
This has been true for a long time. Unfortunately companies are just adopting the old bad rules that are hard to remember….so ymmv
Huh. My company uses that stupid policy too, never made sense to me but, I didn't know why until now. And of course it was an external consultant that told them to do so. My passwords have always been 16 characters or more unless the site/program doesn't allow that many. Now I may try and force them to update this.
Sigh