You know everyone makes mistakes; however, not many make as far reaching a mistake as Bill Burr. Mr. Burr is the person responsible for the current password guidelines he dispersed and he now says the instruction was wrong.
He authored an eight-page document which was OK’d by the National Institute of Standards and Technology. He also mentioned that, “…the paper wasn’t based on any real-world password data, but rather a paper written in the 1980s.” Unfortunately, the document he wrote went on to become the Holy Grail of industries around the world. It made it so that all businesses, governments, etc. updated their password policies to coincide with this new information.
You know the spiel if you are in the workforce today. You should have capital letters, lowercase letters, numbers, symbols, nothing related to your date of birth, children’s names, pets’ names and maybe a few more. And the one that made me the craziest, you must change your password every 90 days and cannot repeat one within a certain time period.
In a recent interview with The Wall Street Journal, Burr was quoted as saying, “Much of what I did I now regret.” It went on to say that none of these actually make your passwords that secure. Especially the, “change it every 90 days” rule. It was determined in a 2010 study at the University of North Carolina, Chapel Hill that updating passwords regularly can actually help hackers identify a pattern. (You know you do it, changing just the last letter, number or symbol of a password you have used for years.) I read another article stating that if you have never been hacked or noticed any strange happenings regarding your password you should never change one.
Guess what the new rules state? A better solution is to create a password with four random words. If you are allowed to do so you should include spaces. This combo is supposedly harder to crack than the old revered password stylings. You can even capitalize or use punctuation if you wish. However, the length of the password is what discourages the hackers, not the combination of letters, numbers and/or symbols. The old rule of thumb about being at least eight characters long seems to be weak too.
So, my new passwords may be something like, “IscoffeeanElephantoraTomato?” or “Is coffee an Elephant or a Tomato?”
I do have a couple of thoughts/concerns regarding the past guidelines…which we have found out could be bogus. “They” always said not to use any word in the dictionary, as this was how hackers started with their hacks. However, now it appears that commonly known words are OK. Huh? Who said that they should not be used the first time and where was their research documentation? Is that one true or false?
All I know is that I hope where I work will quickly change the 90-day period between changes – life would be so much easier.