If you’ve ever wracked your brain trying to think up a password with the requisite mix of numbers, exclamation marks and other special characters, we’ve got news for you:
You’re doing it wrong.
Mind you, it’s not your fault. Security best-practice guidelines going back more than a decade have recommended resetting passwords every 90 days and creating cryptic strings of characters, rather than easy-to-remember words, as the ideal password strategy.
But according to a report in the Wall Street Journal on Monday, the person responsible for this has had a change of mind.
“Much of what I did I now regret,” Bill Burr, the 72-year-old author of the annoyingly familiar password rules, told The Wall Street Journal.
Burr’s guidelines — first published in 2003 — suggested that to optimise security, passwords must be reset every 90 days, and contain a mix of an uppercase letter, number, and special character. Most passwords, by necessity, look something like this: Password1!.
Burr told the Journal that most people make the same, predictable changes — such as switching from a 1 to a 2 — which makes it easy for hackers to guess.
Now the National Institute of Standards and Technology has set new guidelines. Passwords should be long and easy-to-remember, and only need to be changed when there is sign of a breach. Long pass phrases work better because they can be super long and still easy to memorise.
While Burr’s candor is refreshing — considering all of the frustrating password reset emails he’s inadvertently responsible for — he’s not the first person to discredit the 2003 guidelines.
Last August, the Federal Trade Commission’s chief technologist, Lorrie Cranor, busted the myth, telling a security conference essentially the same thing: periodic changes make passwords less secure.
Long live the universal password!