Your Password Is… All Wrong

The expert at the U.S. National Institute of Standards and Technology (NIST) who wrote the rules on creating strong passwords has admitted he got it all wrong.  In 2003, Bill Burr drafted the definitive guide on how to create secure passwords known as “NIST Special Publication 800-63. Appendix A.”  This document pretty much went on to form the basis of password requirements for almost everything you do online. His advice included using a combination of capital letters, numbers and non-alphabetic symbols in passwords. He also advised that passwords should be changed every three months.

NIST has issued new guidelines which now recommend that people create long passphrases, rather than words made up from random characters.  A passphrase is similar to a password, but is generally longer for added security.  For example, a passphrase made up of four simple words like "correcthorsebatterystaple" would take a computer 550 years to guess, while a password like the one Burr recommended would take approximately three days.  A brute-force attack can easily defeat a short password.

NIST guidelines no longer suggest passwords be frequently changed, because most people only make small alterations to their existing passwords, which are relatively easy for a hacker to figure out.  In addition, the more frequently you ask someone to change their password, the weaker the passwords they tend to choose.

Here are some additional password “dos” and “don’ts” that can help you to maintain the security of your personal data.

  • Don’t "recycle" a password.  Password-protected sites are often vulnerable because people often use the same passwords on numerous sites.  If your password is breached, your other accounts could be put at risk if you use the same passwords.
  • Don’t use personal information (your name, birthday, Social Security number, pet’s name, etc.), common sequences, such as numbers or letters in sequential order or repetitive numbers or letters, dictionary words, or “popular” passwords.
  • Do change your password if you believe that your password has been stolen or breached. 
  • Don’t share your passwords with others.  One study found that more than one-third (36%) of people who share passwords in the United States have shared the password to their banking account.
  • Do enable two-factor authentication (when available) for your online accounts. Typically, you will enter your password and then a code will be sent to your phone.  You will need to enter the code in addition to your password before you can access the account.  Twofactorauth.org has an extensive list of sites and information about whether and how they support two-factor authentication.
  • Do be cautious when you choose the site security questions and answers that will be used to authenticate you if you forget your password.  Be sure that you don’t pick a question which can be answered by others.  Many times, answers to these questions (such as a pet’s name or where you went to high school) can be ascertained by others through social networking or other simple research tools.