You’ve probably heard a lot of advice about creating strong passwords – you should change them every 90 days, mix in numbers and capitals, don’t use full words, etc. Former National Institute of Standards and Technology (NIST) manager Bill Burr wrote (literally!) the guidelines on creating safe passwords several years ago – but now wishes he hadn’t written it at all.
While Burr doesn’t think that the advice was bad, he regrets giving it because it ‘drives people bananas’ and only leads to predictable passwords. It provided us with a very clear blueprint of exactly how to craft passwords…and if we’re all working off the same blueprint, it’s easier for both people and machines to guess them.
For example, we tend to sub the same numbers and letters, such as using a ‘4’ in place of an ‘a’. Imagine that a man with a wife called Annabelle who was born in 1975 decides to use 4nn4belle75 as his password. Although it looks secure, machines that crack passwords can be ‘taught’ that this kind of pattern is likely – a short word or name followed by a 2-digit number is an easily recognisable pattern.
Creating Passwords That Are Actually Safe
The official guidelines from NIST now include removing the ‘expiry date’ on passwords that requires frequent changes, and not adding the capital letters and number mixes that were previously recommended.
Instead you should choose 4 or more random, unconnected words and string them together to create a long password that is hard to guess – such as ‘correct horse battery staple’. Choosing the 4 words needs to be completely random – don’t use your address or family names. If you don’t trust your imagination, you could stab at pages in a dictionary or newspaper. A huge bonus is that four entire words is much easier to remember than a complicated pattern!