Passwords. We need them. Some accounts require us to keep changing them. Other accounts force us to use dynamic password generators. We hate them, yet we have no choice but to use them. We also tend to forget them, so…we record them lest we forget, and leave them lying around for others to find.I am always amused when I get a service call at an account, and there, on the monitor, is a brightly colored sticky note with the user’s passwords on it.
Passwords are the currency of the Digital Age. People use passwords to log in to email accounts, online games, bank accounts, credit card accounts, online forums, social networking sites, and every other password-protected corner of the Internet.
Passwords are the keys to the IT castle and it doesn’t matter how strong your walls are if the lock on the door is easily picked.
They’re of particular interest to people like me because they’re often the one component of a security system whose creation and safety is entrusted to the users of that system rather than its designers and administrators.And that, unfortunately, is why we have to keep talking about them – users remain stubbornly attached to passwords like 12345 and password that are so bad they can be cracked in less time than it takes to type them.
In order to remember and keep track of all the logins of their lives, a lot of people use the same one, two, or three passwords. What’s more, many people use passwords that have very poor password security — names, nicknames, dates of birth, maiden names, and other obvious and predictable information.
According to National Institute of Standards and Technology (NIST), it’s time to ditch the current practice of forcing people to randomly change their passwords every few months. Meanwhile, the federal agency also said there’s no evidence that requiring people to include numbers and special characters is worthwhile.
Instead, NIST proposes a different security measure: allowing people to use passwords of their choosing (no more “8 characters with an upper case letter and a symbol”) but subject to a blacklist of terms that are easier to guess for hackers. Specifically, in the words of the guidelines, here is what should be off-limits:
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context specific words, such as the name of the service, the username, and derivatives thereof
- The names of your children and pets
- The word Password
- Your Birthday
After all of this, what are some parameters for creating hard to crack passwords? Bill Burr, a former Tech manager who was initially tasked with creating the guidelines for passwords had this to say:
“The new password guidelines are both easier to remember, and harder to guess. The NIST’s revised tips say users should pick a string of simple English words — and only be forced to change them if there’s been evidence of a security break-in.
Not only did the old password format frustrate users, it wasn’t even the best way to keep hackers at bay.
For instance, “Tr0ub4dor&3” could take just three days to crack, according to one viral comic whose assertions have been verified by security researchers, while “CorrectHorseBatteryStaple” could take 550 years. ” source for this quote is NBC news.
There you have it. Unfortunately, most companies haven’t yet offered us the choice to have such an elegantly simple password. For the forseeable future you will probably be forced to include at least ONE Capital Letter and one special character. My advice, be consistent with how you use those and life will be easier, so in this case, !CorrectHorseBatteryStaple should work just fine.
Your Tech Guys