The man behind complicated P4S5W0rD$ now admits they won't keep us safe

Share

The man behind complicated P4S5W0rD$ now admits they won't keep us safe

A computer security expert who told the world how to write computer passwords 14 years ago has admitted today that he got it wrong.

In June, NIST researchers published a rewrite of Burr's original rules, a project that took two years to complete.

Gone is the advice to change your password every 90 days and the requirement for "obscure characters, capital letters and numbers".

Burr told the Journal that most people make the same, predictable changes - such as switching from a 1 to a 2 - which makes it easy for hackers to guess.

Of course you could use a password manager to manage your passwords and help you create long and cryptographically secure passwords, but you will still need to create a master password that needs to be very secure and one which you can easily remember. In practice this tends to result in users making simple modifications to their password, such as changing "1ns$ecure1" to "1ns$ecure2". In what could be a prime case for "too little, too late", Burr now says that he's sorry for putting us all through password hell.

Looking back on the previous rules, Burr claims that "change your password every 90 days" rule is grossly misfollowed by people.

A widely shared comic strip (above) by Randall Munroe demonstrates the fallacy of Burr's guidelines.

Instead, he recommends using a password management software such as Password Safe (pwsafe.org), which will both generate and store very secure passwords for you.

Additionally, he says that the old standby of having a password contain a letter, number, uppercase letter, and special character was largely unnecessary.

Embracing the new way of thinking when it comes to passwords just might keep your online accounts out of harm's way. This is especially critical, given that almost 20% of passwords used by business professionals for corporate accounts are "easily compromised", according to a report from security firm Preempt.

If hackers want to steal your passwords, they have more sophisticated methods than just guessing.

'As well people checking passwords they themselves may have used, I'm envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: 'you see, this password has been breached before, don't use it!' We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.

Share

Advertisement

© 2015 Leader Call. All Rights reserved.