It’s common knowledge that humans are not good at choosing passwords. Longstanding advice is that instead of “password” you should use “…awkward new words rife with obscure characters, capital letters, and numbers—and to change them regularly,” according to Robert McMillan in The Wall Street Journal. The advice now, McMillan reports, is “N3v$r M1^d!”
The preference for complicated, hard-to-remember strings containing obscure characters extends back to 2003, when Bill Burr, a manager at NIST, wrote what McMillan describes as “…a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities, and large companies looking for a set of password-setting rules to follow.”
Unfortunately, the advice has turned out to be off the mark and “…actually had a negative impact on usability,” according to NIST adviser Paul Grassi. McMillan quotes Burr, now retired, as saying, “Much of what I did I now regret.” Burr adds, “It just drives people bananas and they don’t pick good passwords no matter what you do.”
Consequently, Grassi led a two-year effort to develop new recommendations.
The result? “Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen,” reports McMillan.
As for Burr’s effort, McMillan quotes Grassi as saying, “He wrote a security document that held up for 10 to 15 years. I only hope to be able to have a document hold up that long.”
Look for our September print issue for more on cybersecurity.