Skip to content

Constantly changing your password and using special characters is useless, depending on who originally recommended it

26 mayo, 2021

15 years later, the first promoter of the constant change of passwords and the use of special characters has completely changed his mind. After all, in the case of passwords, size is the most important.

Bill Burr was the man who wrote the document on password management that spread the belief that use a combination of special characters, numbers, and letters to create words like “Pa55word! 1” was the safest practice. Now he is sorry for having advised that.

At the time Burr was working at the National Institute of Standards and Technology in the United States. The document he created basically became the guide for federal agencies, universities and companies when it came to following certain rules for creating passwords.

Burr recommended things like changing the password every 90 days, and combining numbers, letters, symbols, uppercase and lowercase. Now that he’s retired and 72 years old, he says that none of those rules keep hackers out.

In the case of constantly changing password, most people make simple changes that are easy to guesssimply because they will be easy to remember. Changing from something like Pa55word! 1 to Pa55word! 2 is practically useless.

So what is recommended now?

The document Burr wrote has been almost completely revised and rewritten from scratch. The recommendation to constantly change your password and the requirement of special characters have been thrown away. These rules actually have a negative impact on usability, mainly because people forget the new password.

The ideal is to create long, easy-to-remember sentences instead of some crazy combination of characters. And, you should only change your password if there are indications that it has been stolen. For example, if whoever offers you a certain service announces a data leak, or you find out that your email or an online account has been compromised.

People have been incorrectly taught to create passwords that are hard for a human to remember, but easy for a computer to guess.

The consensus seems to be that using a series of four words can be more difficult to decipher than using a single word made up of lots of symbols, numbers, and letters. The longer the password, the harder it is to break, regardless of a simple phrase.

Via | The Wall Street Journal
In Genbeta | How to use mnemonics to create and remember complex and strong passwords