According to those online calendars with daily “holiday” listings — Sandwich Day, Love Your Red Hair Day, etc. — today is Computer Security Day. Since computers are vital organizing tools for so many of us, this specific holiday caught my attention.
While I can’t find any computer security organizations promoting this event, I did read this advice on daysoftheyear.com:
One very important thing to do for your online security is to have strong passwords and keep them updated regularly, as this reduces the chances of your personal data falling into the wrong hands. ….
One strategy is to mix upper and lowercase letters with symbols, as this can be harder to guess and also difficult to hack – and passwords increase in difficulty the longer they are. … And don’t use the same password over and over for every online account you have – this ensures that if someone manages to get into one of your accounts, then they can access all of your accounts. Bad idea. So make strong passwords, don’t recycle them, and update them regularly.
However, expert advice on passwords has changed over time — and part of this advice is now dated. As Katie Reilly wrote in Fortune, “The man responsible for the widespread requirement that passwords include letters, numbers and special characters is now walking back that advice.”
Bill Burr came up with those guidelines in 2003, while working at the National Institute of Standards and Technology. As Robert McMillen wrote in The Wall Street Journal, Burr said, “Much of what I did I now regret.”
Jo Craven McGinty explained the problem in another Wall Street Journal article:
The rule makers didn’t anticipate how people would apply the guidelines when they invented passwords.
If forced to include a number in a password, they tended to tack a “1” onto the end.
If compelled to use a special character, they were inclined to use substitutions like “$” for “s” or “@” for “a.”
If obliged to throw in an uppercase letter, they might lead with it, as if the password were a proper noun.
In short, they were predictable.
Predictable patterns lead to insecure passwords, since hackers know all the patterns. So now the advice has changed, quite radically. The NIST released its new report this past June, with very different recommendations for those creating sites or systems with passwords. They should:
- Allow passwords as long as 64 characters, with a minimum length of 8 characters for user-selected passwords
- Allow any combination of characters, with no requirement for upper and lower case letters, numerals, or special characters.
- Disallow easily compromised passwords: a single dictionary word, repeating characters (such as aaaaa), sequences (such as 1234abcd), etc.
- Stop requiring passwords to be changed periodically. Only require a change if there has been a security breach.
Now, you probably use sites with password rules that violate these guidelines, and there’s not much you can do about that. If the site requires your password to have at least one letter, one number, and one special character, you’ll have to comply — and, for security’s sake, try not to follow the patterns noted above. And many sites don’t accommodate passwords over 8-15 characters.
But when you have the option, it’s wise to choose a long password — especially if you’re protecting your finances, your email, or critical information of any sort. That password might well be a phrase that’s meaningful to you and no one else, which makes it fairly easy to remember.
“I eat applesauce and pancakes every night in April” is easier to remember than “2zdfY9?bky.” (No, I don’t really eat like that. It’s just an example of a silly phrase that I’d have no problem remembering.)