Thoughts about passwords on Computer Security Day

According to those online calendars with daily “holiday” listings — Sandwich Day, Love Your Red Hair Day, etc. — today is Computer Security Day. Since computers are vital organizing tools for so many of us, this specific holiday caught my attention.

While I can’t find any computer security organizations promoting this event, I did read this advice on daysoftheyear.com:

One very important thing to do for your online security is to have strong passwords and keep them updated regularly, as this reduces the chances of your personal data falling into the wrong hands. ….

One strategy is to mix upper and lowercase letters with symbols, as this can be harder to guess and also difficult to hack – and passwords increase in difficulty the longer they are. … And don’t use the same password over and over for every online account you have – this ensures that if someone manages to get into one of your accounts, then they can access all of your accounts. Bad idea. So make strong passwords, don’t recycle them, and update them regularly.

However, expert advice on passwords has changed over time — and part of this advice is now dated. As Katie Reilly wrote in Fortune, “The man responsible for the widespread requirement that passwords include letters, numbers and special characters is now walking back that advice.”

Bill Burr came up with those guidelines in 2003, while working at the National Institute of Standards and Technology. As Robert McMillen wrote in The Wall Street Journal, Burr said, “Much of what I did I now regret.”

Jo Craven McGinty explained the problem in another Wall Street Journal article:

The rule makers didn’t anticipate how people would apply the guidelines when they invented passwords.

If forced to include a number in a password, they tended to tack a “1” onto the end.

If compelled to use a special character, they were inclined to use substitutions like “$” for “s” or “@” for “a.”

If obliged to throw in an uppercase letter, they might lead with it, as if the password were a proper noun.

In short, they were predictable.

Predictable patterns lead to insecure passwords, since hackers know all the patterns. So now the advice has changed, quite radically. The NIST released its new report this past June, with very different recommendations for those creating sites or systems with passwords. They should:

  • Allow passwords as long as 64 characters, with a minimum length of 8 characters for user-selected passwords
  • Allow any combination of characters, with no requirement for upper and lower case letters, numerals, or special characters.
  • Disallow easily compromised passwords: a single dictionary word, repeating characters (such as aaaaa), sequences (such as 1234abcd), etc.
  • Stop requiring passwords to be changed periodically. Only require a change if there has been a security breach.

Now, you probably use sites with password rules that violate these guidelines, and there’s not much you can do about that. If the site requires your password to have at least one letter, one number, and one special character, you’ll have to comply — and, for security’s sake, try not to follow the patterns noted above. And many sites don’t accommodate passwords over 8-15 characters.

But when you have the option, it’s wise to choose a long password — especially if you’re protecting your finances, your email, or critical information of any sort. That password might well be a phrase that’s meaningful to you and no one else, which makes it fairly easy to remember.

“I eat applesauce and pancakes every night in April” is easier to remember than “2zdfY9?bky.” (No, I don’t really eat like that. It’s just an example of a silly phrase that I’d have no problem remembering.)

For more suggestions about organized approaches to passwords and password management tools, you can read our articles from May 2017 and April 2014.

4 Comments for “Thoughts about passwords on Computer Security Day”

  1. posted by Ebbe Kristensen on

    The advice you really should have given is this:

    Use a password manager!

    See for instance this article:
    https://www.nytimes.com/2017/06/21/technology/personaltech/tech-security-experts-use.html

  2. posted by Elaine on

    Worrying about password hacks is overrated.

  3. posted by Jeri Dansky on

    Ebbe, I agree about password managers! If you click through to those prior Unclutterer articles you’ll see I have indeed recommended using a password manager in the past. But not everyone will want to go that route. And even those who do may want easy-to-remember passwords for the sites they log into all the time.

Leave a Comment