By: Nick Gambino
You know how most secure websites require a password that includes a special character, a capital letter and a number combination? That password is usually some variation of the password you’ve used on every website and app since the dawn of computers.
Well, it turns out the guy responsible for this idea that numbers and characters somehow led to your password being more secure is eating his words.
Bill Burr (no not the comedian), now retired, was a manager at NIST (National Institute of Standards and Technology) who recommended this system in 2003 in a document that was then adopted by everyone and his motherboard. In the same document he also suggested people change their passwords regularly, another recommendation that he’s recanting.
In an interview with The Wall Street Journal Bill tells us, “Much of what I did I now regret.” Gee, Bill, I wish you would’ve told us a thousand passwords ago before we landed on Studmuff1n69.
Well, at least they’re doing something about it. NIST has just finalized their updated recommendations that are quite different from what you’re used to. First, it’s recommended that you pick a password made up of several random words. This is instead of numbers and characters.
Ok let’s look at practical examples. Instead of “Lady8ug” you might want to consider “bookchainconvertiblehose.” Whereas the first one could be hacked in no time flat it seems the second is nearly impossible because it follows no pattern and is long. An added benefit of the long random word phrase password is it’s fairly easy to remember. It’s actually simpler than remembering capital letters, number or special characters.
Though this would have no bearing on hacking that uses phishing or keystroke logging. If someone gets your password then they have your password whether it’s 8 characters or 800. But this will proof you up against dictionary hacks or those that guess or have algorithms to constantly try and crack your password.
Another recommendation, surprisingly, is to get rid of the system of continually changing your password. It’s recommended that you should only do this if there’s been a breach of some kind where passwords and data may have been compromised. It’s suggested that periodically changing it is actually a bad security practice.
They also, smartly, recommend that passwords are compared against a list of known breached passwords. This is obviously something that companies should absolutely do but if individual users can get their hands on this list to check against that’s good too.
If you want to read the full NIST document you can check it out in all its complex and technical glory here.
So, do you plan on changing your password now? Let us know your thoughts down below in the comments section!