Maintaining a set of strong, unique passwords is tough work these days — and yet it’s never been more important. With so much time spent online, keeping the digital bad guys out of our accounts is a basic prerequisite for making it through the day.

Here’s the thing: It turns out that the “strong” password requirements we’ve all come to know aren’t actually helping. In fact, they may be doing more harm than good. 

This news was first brought to our attention in May when experts at the National Institute of Standards and Technology (NIST) issued a draft report challenging many of our long-held assumptions about what makes a good password (what it calls a “memorized secret”). That draft was finalized in June, and it provides a comprehensive list of do’s and don’ts when it comes to password protection.

And while that NIST recommendation keeps some of the old favorites, it lso packs a few surprises.

The do’s:

  • Make your password at least 8 characters long. We knew this one already, and the basic advice to avoid short passwords hasn’t changed. “Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords,” the NIST guidelines remind us.
  • Consider making it even longer. Have you ever had a password rejected because it was too long? Yeah, that’s a bonkers thing that happens sometimes. The folks at NIST want to change that, and say that service providers should allow passwords of up to 64-characters in length. Take advantage of this and choose long passphrases to protect your accounts.
  • Keep your password as long as you’d like (within reason). Say goodbye to forced password resets every 90 days or so. Haven’t been notified of a breach, or clinked on any shady links? Feel free to keep your password as it. Things get weird? Well then that’s when you should change your password.
  • Use a password manager. Password managers, like LastPass, allow you to have robust and unique passwords for each and every site. Use one — it’s worth it.

The Don’ts:

  • Throw out those special characters. Forget all the @’s, $’s, and &’s that you’ve come to accept as standard password requirements. You don’t need those anymore. They just make it harder to remember your actual password, and they don’t actually make it stronger.
  • Get rid of password hints. Password hints are trouble, as they make it easier for a stranger to guess their way into your account. Don’t use them.
  • Stop it with the password reset questions. Answers to questions like “what was the name of your first pet” are hardly state secrets, and yet that’s all some services require for a password reset. Skip these.
  • Avoid the “1234567” trap. Stay away from what NIST refers to as “repetitive or sequential characters.” That means your password of “ffffffff” has to go, too.
  • Making your password the name of the service? Yeah, no. If the password for your Gmail account is “yournameGmail” then you’re doing it wrong. Don’t put the name of the service, your name, or any derivation thereof in your password. Got it?

Following this advice will benefit you in two ways, both by making it easier to remember your passwords and making them stronger. It’s a rare and wonderful thing when taking your medicine actually tastes good, and yet that’s the exact situation here.

Embrace the new NIST guidelines, because when it comes to digital security there is rarely good news.