We’re probably all familiar with the advice about what makes a strong password, but the man who first suggested combining numbers and letters and adding special characters to our passwords now thinks a lot of his original advice was misguided.
Bill Burr was working for the National Institute of Standards and Technology (NIST), part of the US government, when he wrote his original guidelines back in 2003. With the backing of NIST, they were widely adopted by other agencies and IT managers.
But telling people to come up with multiple, complicated passwords for every account has backfired, Burr says, because many of us now just use the same password for everything we log into – and that makes us more vulnerable to hackers, not less.
“Much of what I did I now regret,” Burr, who is now retired, told Robert McMillan at the Wall Street Journal. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Burr originally recommended mixing upper and lower case characters with numbers and special characters to make passwords harder to crack, and technically speaking that’s sound advice – running through 52 or 78 possibilities for each character takes longer for a hacker than running through 26.
There are two problems with it though: first, people have tended to follow the same patterns (like replacing “S” with “5”), making it easier to predict passwords. Second, users have struggled to remember all these complicated combinations, instead falling back on using the same passwords for every account.
Burr also recommended people change their passwords regularly. Again, while this is a good idea in principle, it’s led to people just changing one letter or number each time, making them vulnerable to clever hackers.
As this xkcd comic puts it: “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
“The more often you ask someone to change their password, the weaker the passwords they typically choose,” Alan Woodward, from the University of Surrey in the UK, told the BBC.
“And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.”
So what should we be doing instead? The new advice from Burr, xkcd comics creator Randall Munroe, and other experts, is to pick a long phrase only you can remember but which would take a huge amount of time for a computer to crunch through.
Something like “giraffeseatingcarrotsinbed” would do nicely. Don’t use that, though, obviously.
Signing up for a password manager service, like LastPass or 1Password, is also recommended, as is setting up two-factor verification on all your accounts. This adds an extra layer of security on top of your username and password combination, and is available on all major accounts from the likes of Google, Apple, and Microsoft.
Two-factor means even if someone nabs your username and password, they can’t access your account without an extra code, usually sent to your verified mobile phone.
The NIST has indeed updated its old guidelines to reflect modern-day systems, so spread the good security word to as many people as you can, and stay safe out there.
Technical advisor Paul Grassi, who wrote up the latest NIST guidelines, says Burr shouldn’t feel too bad about regretting his advice in hindsight.
“He wrote a security document that held up for 10 to 15 years,” Grassi told the WSJ. “I only hope to be able to have a document hold up that long.”