Is \u201cXr6Tn$*35QK\u201d really a bad password? A recent article in The Wall Street Journal might lead you to think so. But a deeper look at the issue indicates otherwise.The Journal story cites the author of NIST Special Publication 800-63. Appendix A, a document published in 2003 by the National Institute of Standards and Technology that contained detailed advice on digital identity guidelines and how to administer secure online services. That primer advised people to create passwords out of oddball combinations of upper and lowercase characters, punctuation and numbers, the thinking being that it would take a brute force cracking software too long to unscramble them to make the effort worthwhile.The author, who has since retired, now says the advice he gave 14 years ago was based upon insufficient research and should be ignored. He recently backtracked on its 2003 guidance in a revamped set of recommendations that suggests that mixing letters and numbers provides insufficient protection.The revised Appendix A in NIST Special Publication 800-63 explains that the effectiveness of choosing passwords \u201cconstructed using a mix of character types, such as at least one digit, uppercase letter, and symbol\u2026is not nearly as significant as initially thought, although the impact on usability and memorability is severe.\u201d Instead, the institute now recommends that \u201cUsers should be encouraged to make their passwords as lengthy as they want, within reason.\u201dBut that doesn\u2019t mean eight-character passwords can\u2019t be just as effective as a string of unrelated words like \u201cfoamwisetortoiseignoretrucksocialcycle.\u201d A deeper look at the NIST guidance shows that not that much has actually changed.The real issue with password strength isn\u2019t length. It\u2019s human nature. And entropy. Ready for more?Running the numbersThe revised recommendations lean heavily on a 2010 report prepared by researchers from Florida State University, Redjack LLC, and Cisco IronPort Systems. Using mathematical models that would give most of us a headache, researchers analyzed the effectiveness of actual passwords derived from several large data breaches encompassing tens of millions of examples. They found that even when users complied with instructions to create passwords mixing letters, numbers and punctuation, their choices were often easily guessable by cracking software using a dictionary of a couple of hundred thousand words.The human nature part of the equation is that people tend to follow certain patterns when creating passwords. They typically choose one or more root words from a standard vocabulary, or common names. When asked to add special characters, they tend to make predictable substitutions, such as \u201c@\u201d for \u201ca\u201d and \u201c!\u201d for \u201cl.\u201d Because the substitutions are predictable, they can be guessed algorithmically with pretty good accuracy.This leads to password choices like \u201cP@$$w0rd!,\u201d which technically conforms to the rules, but which is a terrible password. The authors are particularly critical of website password checkers, many of which would permit \u201cP@$$w0rd!\u201d to go through unchallenged.They also criticize the 2003 NIST guidelines for relying upon a concept called entropy, which was outlined in a paper written by mathematician Claude E. Shannon in 1948. Khan Academy has an excellent four-minute video that explains entropy simply. It\u2019s a mathematical principle that\u2019s useful in cryptography and messaging, but has no value in estimating optimal password length, they say. Unfortunately, that\u2019s how the 2003 NIST report used it.Not a job for humansThe 2010 paper basically concludes that asking humans to create passwords is a fool\u2019s errand. Instead, it recommends that password selection should be an interactive process in which the authentication engine on the website suggests secure alternatives to the passwords people select rather than simply issuing a set of guidelines.It doesn\u2019t say long passwords are better than short ones. And, in the final analysis, neither do the revised NIST guidelines. Long passwords composed of random words strung together are hard to guess because of the number of variables involved. However, short passwords consisting of random strings of alphanumeric text and characters can be just as effective. The issue isn\u2019t length but randomness.In a nutshell, the revised guidelines impose no additional complexity requirements but recommend that server-side processes be strengthened to propose passwords that meet statistical standards for security. They are a strong argument for the use of password managers, which generate suggested passwords using randomly selected combinations of letters, numbers and special characters and store them in an encrypted vault. Users need never worry about remembering them.The Journal report was accurate, but perhaps a bit overly simplistic in its conclusions. There\u2019s no need to go back and change all your passwords. If you\u2019re using a password manager, you should be in really good shape.