Even though it's a necessary evil, it¡¯s pretty annoying when your IT department tells you to change your password every month, and that it still needs a balance of upper and lower case, numbers, and special characters. Yet, it turns out we may have been putting ourselves through hell for absolutely no reason.
You had one job Bill - Image courtesy: Reuters
Bill Burr, a manager at the National Institute of Standards and Technology (NIST), was the guy who wrote down the basic ruleset for passwords on 2003. Yes, he¡¯s the reason you need to tax your brain to think of new passwords that are complex but still memorable to you. In fact, he was also the one who recommended they be changed regularly. Now, 72-year-old Burr says he may have been wrong all along, telling The Wall Street Journal, ¡°Much of what I did I now regret.¡± Yeah, thanks a lot Bill.?
It turns out that insisting people change their password every so often was a bad idea. Burr says most people only make minor changes in order to ensure they don¡¯t forget it, like changing Y0uSh@llN0tP@ss to Y0uSh@llN0tP@ss!. In addition, NIST says the rule that people use a handful of special characters didn¡¯t help either. In fact, both these requirements together hampered password security more than it helped.
Should we go back to doing this then?
Thankfully, there¡¯s some good news here too. The NIST just received a thorough rewrite from a team at the Institute, something that took two years to complete. The team said they went into the project expecting to conduct light revisions, and instead had to rewrite the document from scratch.
The new guidelines are already being distributed across the world, with a few m=prominent changes. For one thing, the experts now agree that long, easy-to-remember phrases are much more secure than complex combinations of letters and numbers. Another big change is the suggestion to do away with expiring passwords. Instead users should only be forced to reset their password when faced with some kind of security breach.
Of course, the one recommendation that stays the same is to refrain from using passwords that are commonly used (we¡¯re looking at you ¡®password¡¯ and ¡®12345¡¯ users) or which have already been compromised. You can read the draft for the full set of new guidelines here.