Forget Your Passwords! You’re Doing it Wrong!

Password Strength

Every time you create a password, you must make it as difficult as possible, right? Well, turns out the guy responsible for that says he’s wrong.

All of you have done it! Trying to come up with hard-to-remember passwords using those tedious special characters. Bill Burr, former manager at the National Institute of Standards and Technology (NIST) admits he’s been wrong. An eight-page white paper from 2003 signed by Mr. Burr, the “NIST Special Publication 800-63. Appendix A.” is the root of it all. In it, Bill wrote down the requirements of using upper/lower-case letters, numbers and special characters that you’re all familiar with.

“Much of what I did I now regret,” Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

Turns out, Bill Burr wasn’t a security expert. However, his rules were true about human-hackers trying to guess passwords. Unfortunately for the rest of us, it’s bots and AIs and not humans doing the guesswork. Because of this, it’s not really what characters you use in your password, rather the length that matters. You see, deciphering an eight-character password takes equal time for a computer, regardless whether it’s an eight-letter word or combined with special characters.

Long passwords are the way to go! A good thing for us humans is that what takes thousands of years for a computer to break can be really easy for a human to remember. You just have to come up with a sentence only you know of. Take for example, “theblueelephanttakesashower”. Completely random nonsense, however quite easy to remember, right?

xkcd sums it up brilliantly in the following comic:

Password Strength
By courtesy of xkcd