Everything you know about passwords is wrong. But then, you probably knew that.
I’ve been harping on the various exercises in futility that is password setting for some time. Most recently, I talked about password patterns — how we all use them, and how they make life easy for would-be crackers. So RoseBud1, RoseBud2, RoseBud3 actually isn’t safe — and neither is RoseBud!1, RoseBud!2, etc.
Even worse, password policies that force employees to change passwords frequently are often the direct cause of password patterns. They force workers to come up with too many passwords, and all but the most obsessive among us are driven to use patterns in order to stay sane.
We certainly aren’t driven to use passwords that are “safer.” Even those password checkers that many sites employ are at least useless and at worse make passwords less secure. They, too, encourage patterns like the random inclusion of an exclamation point. (See “Passwords that kill at Insedia.com)
Well, finally, thanks to a fantastic story by Robert McMillan at the Wall Street Journal this week, frustrated password setters can all feel a bit vindicated. The rules for setting “modern” passwords are all wrong, says the man who wrong the rules about 15 years ago. Bill Burr created them for the National Institute of Standards and Technology, but don’t blame him, either. He was just using the latest research to make some suggestions. Sadly, there was no research.
“Much of what I did I now regret,” Burr told McMillan in a refreshing moment of honesty rarely seen in the tech world.
Burr had very little to go on when the rules were published in 2003, and he never claimed them as gospel. But put rules in front of some managers and you know what you get.
Even though many of the rules were soon regarded as folly — heck the Federal Trade Commission even wrote a post saying that frequent password changes were a bad idea — rules are rules, and many people really like enforcing rules.
So it’s great that NIST has finally changed the rules. They’re much simpler, and more effective. Passwords should be long, NIST says. The longer, the more likely to be unique. And…that’s about it. At least as far as users are concerned. (The password rules put more burden on the authenticator, and less on the user, which is smart. You can read more here.)
So, go change your password to something long like correcthorsebatterystaple (Don’t use THAT. Pick your own four random words. Ok, don’t pick them yourself, find a random word generator to do it. But you get the idea, hopefully.)
As for how often should you change your passwords? Well, I asked a bunch of security pros that question a few years ago, and their answers will probably surprise you.