Now that we can carry out our most important tasks online — pay bills, make medical appointments, file taxes — it is vital that we take every measure to keep our information out of the wrong hands. Much of this hinges on creating fail-safe usernames and passwords. We’ve been told for many years that long, nonsensical passwords are the hardest to crack. Unfortunately, this isn’t actually true. Find out why this is and how you can better protect yourself going forth.
The Origin of the Crazy Password
“You must include at least one uppercase letter, one lowercase letter, one number, and one special character.” Have you ever wondered about these password directives and how they came to be? So does the guy who created them. Recently, the retired former manager at the National Institute of Standards and Technology (NIST), Bill Burr, spoke to the media to tell them that he really didn’t know what he was doing when he wrote and published NIST Special Publication 800-63. Appendix A; which was essentially the go-to guide on creating safe passwords back in 2003.
Burr says, “Much of what I did I now regret,” and admitted that, when asked to create the guide, he had no empirical data from which to draw and based the majority of the guidelines on a white paper written in the 1980s about creating real-world passwords, not digital ones.
So…What Now?
The real travesty here is not that these arbitrary password guidelines have spawned impossible-to-remember passwords, but that they are not actually very secure. Recently, cartoonist Randall Munroe did the math and figured out that it would take just three days for a hacker to crack a password using Burr’s rules. Security experts checked his work and verified he got it right. Conversely, a hacker would need 550 years to suss out a password that strings random words together, such as “lawyers are the smartest.” So, should you go change your passwords to a string of words you can easily remember but are not obvious to anyone else? Only if you don’t want to be hacked!