Your clever password, dotted with capital letters, numbers and symbols isn’t so clever after all. The man who wrote the book on crafting uncrackable passwords now tells the Wall Street Journal that he was all wrong: short and goofy-looking isn’t the key to better security. Longer phrases written in simple text are a more secure way to go.
“Much of what I did I now regret,” said Bill Burr, whose eight-page primer has been something of a consumer security bible since 2003.
Leetspeak – the practice of replacing letters with numbers or symbols that resemble them, as in P@$$w0rd123 – doesn’t keep hackers away. That password could be cracked within three days, data shows. There’s also no point in changing passwords every 90 days, as previously recommended, unless there’s evidence that the account may have been compromised.
Not only were those goofy-looking passwords weak, they also damaged usability. People tend to repeat the same words, phrases and themes across passwords – Monkey1, Monkey2, Monkey3 – and sooner or later, it becomes hard to remember which iteration they're on. Then, resetting the password takes even more time – and good luck remembering the new one now that you’re on “Monkey 4.”
“It just drives people bananas, and they don’t pick good passwords no matter what you do,” Burr said.
Instead of finger-twisters and a rotating cast of slightly-too-similar passwords, Burr and the National Institute of Standards and Technology now recommend a longer phrase written in plain text – no weird symbols or numbers, no random mix of upper- and lowercase letters.
The password “correct horse battery staple” – all one word, no capital letters, no numbers, no symbols – would take 550 years to crack.
Burr said that, when he wrote the original primer, there was no empirical security data to show which kinds of passwords were most effective, so he’d done his best with the information available. The rules were intended to create randomness, but in the end, though well-intentioned, all his advice created were headaches (though a few folks probably learned where to find the ampersand key in the process).