Scrap everything you know about creating strong passwords and do this instead…

September 11, 2017  12:49 pm


You know the drill: make a password with a hodgepodge of special characters, numbers, and letters, then change it periodically – or just ignore change alerts until a hacking scandal suddenly arises.

You may want to rethink your strategy.

Bill Burr, the man behind how we commonly think of devising passwords, recently told The Wall Street Journal, “much of what I did I now regret.”

The password creation shakeup

The retired 72-year old was reportedly a manager at The National Institute of Standards and Technology (NIST) back in 2003 when he wrote “NIST Special Publication 800-63. Appendix A,” featuring the password guides we’ve held true for years now.

According to The Wall Street Journal, this included, namely, the rule that passwords should be a combination of numbers, special characters, and uppercase letters, which you change every 90 days.

Why is Burr changing his tune years later?

He reportedly had to produce the rules quickly and wanted them to be based on research, but he had no “empirical data on computer-password security.” So he turned to a white paper from the 1980s.

Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too difficult to crack.

In June, the NIST released new guidelines, which don’t call for “special characters” or changing passwords frequently anymore. Instead, the NIST says the rules now preach “long, easy-to-remember phrases” and just coming up with new ones “if there is a sign they may have been stolen.”

A xkcd comic by Randall Munroe from August 2011 shows that figuring out the password “Tr0ub4dor&3” would take three days to solve, according to the cartoonist’s calculations, compared to the words “correct horse battery staple” typed as a single word, which would take a staggering 550 years to solve. Computer-security specialists found this to be true.

Be careful changing passwords

You may also want to rethink how often you update your password. This practice can place us at risk if we take the wrong approach.

When we repeatedly change passwords, we don’t always change them properly.

Professor Alan Woodward of the University of Surrey told BBC News that NIST publications have a far reach, giving the rules “a long lasting impact.” But he also mentioned “a rather unfortunate effect”:

For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. . . . And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.

Steer clear of these password options

So if you’re looking to change your password soon, don’t pick these.

SplashData, which supplies password management applications, released the 2015 version of its “Worst Passwords List.” Here are the top 10 worst ones featured:

  1. 123456
  2. password
  3. 12345678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

Morgan Slain, CEO of SplashData commented on the findings in a statement.

We have seen an effort by many people to be more secure by adding characters to passwords, but if these longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers…As we see on the list, using common sports and pop culture terms is also a bad idea. We hope that with more publicity about how risky it is to use weak passwords, more people will take steps to strengthen their passwords and, most importantly, use different passwords for different websites.

Embracing the new way of thinking when it comes to passwords just might keep your online accounts out of harm’s way.


By Jane Burnett Aug 9, 2017

Jane Burnett is a reporter for Ladders. She is based in New York City

Give us a call to discuss your projects. You'll be glad you did.