Creator of the rules for passwords admits wrong guidance

Everything you’ve ever been told about creating strong passwords is wrong

Everything you’ve ever been told about creating strong passwords is wrong 0

For years we've been encouraged to dream up weak passwords which are easy for machines to crack, concedes the guy who wrote the book on creating passwords. "Much of what I did I now regret", he says. The guidelines were published in a NIST document titled, "Special Publication 800-63. Appendix A", it included suggestions such as changing your password every 90 days, and also using a variety of characters.

The new guidelines state that a long, easy-to-remember phrase is more effective than a shorter password with unusual characters.

Paul Grassi, an NIST standards-and-technology adviser has re-written the rules guidelines on how to create a safe password. Password generators can create customized and secure passwords that are harder to crack, but who has the time (or mental capacity) to remember a 16-character string of what seems like gibberish?

The NIST has rewritten the guidelines, which scrap the special character advice with the recommendation that people use long phrases they can easily remember, but which still can't easily be guessed by algorithms.

Believe it or not, based on a study of leaked data information, most people still use simple passwords like "123456", "qwerty", and even "password". The paper also recommends corporate policy forcing users to reset their passwords every 90 days.

And there is little doubt that getting people to secure their accounts with unique and private logins is a good move, but long and complicated passwords often does not help matters. For starters, the new rules don't require password changes unless there is an indication that an account has been illegitimately accessed or a password has been stolen.

For example, a user inclined to choose "password" might well choose "Password1" if required to include a number and uppercase letter.

Bill Burr was working for the US government when he came up with guidelines in 2003.

Gerhard also suggests that people use password management software such as those on Apple and Google phones. You know, the one that says, "Your password is about to expire". He had asked NIST's computer security experts for passwords as a case study, but they did not comply. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.

Fisk said if you don't have a strong password that's OK because Google is actively checking to make sure you are who you say you are.

Latest News