Hate having to change your password every 90 days? Forgot again which special character went where and which letter was supposed to be capitalized? Turns out all the things we hate about making passwords secure also make them more vulnerable to hacking. And the man who first penned these password guidelines in 2003 is now saying he wishes he hadn’t.
“Much of what I did I now regret,” said former National Institute of Standards and Technology manager Bill Burr in an interview with the Wall Street Journal.
Burr’s fatal flaw was that he sorely underestimated man’s proclivity toward getting things done with the least amount of effort possible. So when the everyday user is faced with as many annoying and stringent rules as was outlined in Burr’s eight-page document, what else would they do but cut corners with lazy and predictable mistakes?
For instance, when forced to integrate capitalizations, numbers, and special characters into your password, many people would replace letters in easy to guess ways: @ for a, 0 for o, etc.
And when you’re then forced to update that terrible password every 90 days, how many of us haven’t simply reused the exact same password as before with extra characters added to the end? So you update “Pa55word#123” to “Pa55word#1234” and move on with your day.
Well, NIST took note of just how weak our passwords were becoming as a result of our reaction to these rules and they want to give us some new guidelines that take password security in a different direction.
First, rather than force users to update passwords every 90 days, IT departments are advised to only prompt for password updates when there’s been a known security breach.
Second, the document advocates for much longer passwords that relate to some secret only the user would know. And to promote ease of memorization, users should be given the freedom to put spaces in there as well. So rather than a single word, you’d be better off using a fully-fledged sentence or set of words that has some meaning to you.
Third, the document advises IT departments do away with character complexity requirements altogether since they haven’t shown to be effective against hacking.
And finally, companies should be transparent and clear about why a user’s chosen password is rejected so they know exactly what they need to do to build a stronger password.
No organization is required to adopt these new guidelines but many corporations often do as a matter of best practice. So we can all rejoice the day the shackles come off and we no longer have to live in fear of that “Create password” input box.