How many passwords would you guess you have? In 2007, the average was 17. It’s estimated that by 2020 we will have 207 unique logins… each!* As cybersecurity continues to be a growing concern, more password rules have been created. But, one of the men responsible for all those rules is telling us he was wrong.
It started with alphanumerics, then added capitals, then special symbols. Instead of words you can remember, we were told that random sequences of all these characters are the safest bet. While those complex passwords do make it more difficult to hack, they also make it more difficult to remember. So, what do we do? We write them all down. But, that just makes them readily available to anybody who finds your cheat sheet!
The gentleman tasked with establishing the standards for “strong” passwords, Bill Burr, has recently stated that he regrets the rules he created.
An article on MSN tells the story:
In 2003, the then-mid-level NIST manager was tasked with the job of setting rules for effective passwords. Without much to go on he sourced a whitepaper written in the 1980s. The rules his agency published ended up becoming the go-to guides for major institutions and large companies.
The result is that people create odd-looking passwords and then have to write them down, which is of course less secure than something you can memorize. Users also lean on common substitutions, like “zeroes” for the letter O, which a smart hacker could program their password cracker to look for. Or they pick one “base” password that they can memorize and only change a single number. That’s also not as safe.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr said.
The new password guidelines are both easier to remember, and harder to guess. The NIST’s revised tips say users should pick a string of simple English words — and only be forced to change them if there’s been evidence of a security break-in.
Not only did the old password format frustrate users, it wasn’t even the best way to keep hackers at bay.
For instance, “Tr0ub4dor&3” could take just three days to crack, according to one viral comic whose assertions have been verified by security researchers, while “CorrectHorseBatteryStaple” could take 550 years.
Your network’s greatest vulnerability is the people that use it. Consider implementing a new password strategy with your team to prevent them from writing their access information down. If you’re concerned about your data security, contact Great Lakes Computer Corporation. We offer a host of security services to protect your business from data loss and theft.
* Statistic here.