If you’ve been using the internet since at least the mid-2000s, you’ve probably noticed a slow and inexorable change occur on almost all websites that ask for a password. Where once you could make your password anything you want, over time websites began to demand that you add capitalized letters, numbers, and symbols.
As frustrating as it may be, it seems to make sense. These websites want you to make a password that is more sophisticated, and thus more difficult to hack. The only problem, is that much of the advice we’ve been given on password security over the past decade is just plain wrong. But don’t take my word for it. Take it from Bill Burr, the guy who first introduced the idea that our passwords should have these characters.
Bill Burr worked for the National Institute of Standards and Technology in 2003, where he wrote a guide on password security that has since become the standard by which most websites set up passwords. Now he’s telling people to forget about everything he recommended.
Nearly 15 years ago, Mr Burr wrote guidelines for password security for the US National Institute of Standards and Technology. It included suggestions that passwords should be changed every three months and be made up of a range of different characters.
That document led to stipulations for computer and online accounts that require people to abide by the rules. But he said that they don’t work and people still pick terrible passwords – but now they’re just harder to remember.
“Much of what I did I now regret,” Mr Burr told the Wall Street Journal.
“It just drives people bananas and they don’t pick good passwords no matter what you do.”
The problem wasn’t that this advice was necessarily wrong. If you make a password that’s a random assortment of characters and change it every few months, it’s doubtful that anyone will guess your password. The problem is that it’s incredibly difficult for people to go through that procedure.
So they make passwords that are easy to remember, and incorporate a few numbers and symbols. As an example, a password like “bassfishing,” might be written up as “b@ssf!5h1Ng”. Then when they change their password, they only change it slightly so that again, it’s easy to remember. Unfortunately what’s easy to remember is also very easy for hackers to guess, and since everyone uses this strategy it makes life even easier for hackers.
In other words, his original advice didn’t factor in human nature (or human laziness).
So how can we make a better password? According to Burr, “It’s probably better to do fairly long passwords that are phrases or something like that that you can remember than to try to get people to do lots of funny characters,”
As for why that’s a better way to set up a password, ever since Burr came out with his apology and revised recommendations, there’s been a comic strip floating around the internet that perfectly explains why simple long phrases make better passwords. It shows how Burr’s original advice led us all to adopt passwords that are a pain to remember, but easy to hack.
In a nutshell, a password that is a phrase consisting of a random, nonsensical assortment of words, is many times more difficult for a computer or a human to guess than a password that is just one word, and consists of a random assortment of capitalizations, symbols, and numbers. That’s because in the latter case, it’s not really all that random. The former, which really is random, is also far easier to remember.
So the next time you need to change a password, it would be wise to take this advice. Obviously you’ll still need to incorporate a few numbers and symbols since that’s what most websites these days force you to do, and they’ll probably continue with that policy for a few years. But you can still make lengthy phrase based passwords that will do a far better job of protecting your information online.