It’s about time we start to realize that commonly accepted password rules we’ve been using for over a decade have been largely incorrect. Last week, I read an article in the Wall Street Journal, “The man who wrote the book on password management has a confession to make: He blew it.”
In 2003, Bill Burr, wrote an essay, “NIST Special Publication 800-63. Appendix A” advising people to invent new words using obscure characters, capital letters, numbers, and to change them often. He became the go to authority on password security and his teachings were adopted by government agencies and large companies all over the world.
He now admits that his thinking was largely flawed and that a new approach is needed, “Much of what I did I now regret,” said Mr. Burr.
Let’s take a look at some of the ways that commonly accepted practices in password management were incorrect and what you should do instead.
Forcing password changes regularly was one of the biggest mistakes.
Once a year password changes are more than sufficient, absent a breach of security. Much of the recent research shows when companies force their employees to change their passwords to frequently, they don’t put a lot of thought behind it.
FTC Chief Technologist, Lorrie Cranor shares, “Today, attackers who have access to the hashed password file can perform offline attacks and guess large numbers of passwords. The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit—probably not enough to offset the inconvenience to users.”
When you force people to change their password every 90 days, they usually only make minor changes to it. The changes they make are not substantial enough to throw off hackers.
In other words, changing your password from “Pa55word1” to “Pa55word2” and then to “Pa55word3” is not effective at all. And that’s exactly what most people do when you force them to change it every 90 days.
We must be careful to not make another mistake, “Patterns” or “Whole Words.”
Mandatory patterns make password cracking a simple task. I am not a fan of whole words or mandated patterns. If I know you use four whole words, it’s a simple dictionary style attack, which runs very quickly.
Never use a phrase that someone knows you like, such as, a sentence from your favorite song. This makes guessing your password all too easy. Be sure not to use the same password in all your online accounts. If you do, a hacker can have a field day and turn your entire life upside down. Don’t use the same password in Microsoft Office products as your more secure accounts. Office passwords are easily hacked.
One suggestion to selecting solid passwords that are easy to remember. Create a sentence e.g. “I don’t understand why I have to keep changing my password”. Use the first letter of each word, e.g. “iduwihtkcmp”. Then use caps and substitution to alter the password, e.g. “!duwIh2kcmp”. Remember the phrase and you will remember the password.
Do you have too many passwords to keep track of? Consider using a trusted password manager. With a password manager, you can keep track of all your passwords, secret questions, and utilize the built-in password generator. Here are a couple we recommend: https://1password.com/ or https://www.dashlane.com/.
Later I will discuss the flaws in secret questions and how two-factor authentication works.