Everything You Know About 'Secure' Passwords Is Wrong

Thursday, 10 Aug, 2017

Many companies, including CBC, ask employees to change their passwords at regular intervals, and most websites won't let you sign up without including at least a capital letter and a number in your password.

During the interview, Burr also admitted that he didn't know much about how passwords worked when he created the memo. People often change just one character of their password if the platform allows it, completely defeating the objective of the requirement in the first place. "And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems". On Tuesday, its original creator, Bill Burr, confessed he regretted much of what he had done.

"We ended up starting from scratch", he said.

He added that the recommendation to change the password regularly was also wrong, since most users change only one letter or number, which does not disturb the work of hackers at all. They are easy for us to remember but harder to hack by a computer because of the human factor. Now you'll finally be able to throw away that Post-it note that reminds you what your new password is.

"It turns out neither using a combination of symbols, numbers and letters nor changing passwords periodically can keep your accounts safe from cyber threats".

In 2003, the then-mid-level NIST manager was tasked with the job of setting rules for effective passwords.

All the rules you've ever known about coming up with a password have been thrown out the door. This book on password management soon became the go-to guide on password security. Instead, she said it just made her feel better.

"Those things are pretty predictable and I probably should have anticipated, because that's what I've wound up doing, actually, in some cases", he said with a laugh. "It just doesn't make sense". He had to rely on common sense as much as technical expertise.

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of unusual characters-since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

And you're supposed to change it every 90 days. For example, with current technology, experts have suggested something as simple as "correct horse battery staple", written together as a single word, could take up to 550 years to be cracked. This can be "harder for hackers to crack than a shorter hodgepodge of unusual characters".