Bill Burr at the National Institute of Standards and Technology now regrets the golden-rule advice he gave on passwords.
The said advice was to use figures, letter and keyboard symbols, using at least eight characters. Well, it turns out that it is not much defence against determined hackers. Oh, and a different password for each site is also a waste of time, he now considers.
So, we have been creating obscure passwords, and many of them across our social media accounts, etc, trying desperately to remember them all, when we needn’t have, it appears.
People have a sad tendency to use the name of their pet or grandchild or somebody’s birthday, which is why facebook is full of someone ‘innocently’ asking, “who has a long-lost pet that they miss so much?” Or something equally transparent to find out if you’re using a pet name.
The best words are simply sentences of at least 16 characters (five words or longer) that you won’t forget; Mary had a little lamb… etc, is not one of them. Obviously, don’t separate the words with spaces: uglierthanamonkeysuckingonalemon for example.
Anyway, don’t go changing all your passwords now, but when it’s time to change one, or you need a new one, then perhaps use this method.
Finally, did you know that there is a World Password Day? Well, there is, on the first Thursday of May each year and has been going on since 2013.
Editorial note: this article was written at the beginning of the month but we somehow forgot to publish it…
(News: Spain)
The solution is to invest in a password manager. I use lastpass (www.lastpass.com). They have a free option as well as a premium. They are not the only option but my employer (a big company which offered IT consulting services, including in IT security) allowed us to use lastpass for work. There was another that I cannot remember. We were NOT allowed to let Google or Microsoft remember our passwords. Reason: if Google or Microsoft are hacked or my account at Google is hacked then hacker has all my passwords. Lastpass operates a zero knowledge architecture where they never have access to the master password – the one and only password (or better, pass phrase), that you have to remember.
Darren: Yes, sorry, we forgot to amend this about multiple passwords being just as necessary – thank you for pointing this out. As a suggestion, use a novel that you like, using the first five words, for instance, of the first few sentences, using one sentence beginning for each password, so you will have a quick reference to look them up if you can’t remember them.
A different password for every important site IS NOT a waste of time. It’s standard practice for scammers if they get one email/password pair to try that combo on other sites (Amazon, PayPal, banks etc). If you use the same password everywhere and just one of your many internet services gets hacked, you’re boned.
We’re up to about 20 characters minimum password length, computer power being what it is, and random characters is still a good way to go, but the problem is remembering them. So you either use memorable phrases like the article suggests (different one for each important site!), or get your computer to remember them for you.