Those annoying password requirements like ‘must have at least one special character?’ They do more harm than good.
It’s tough to create a good, secure password. It’s tough to even agree what password requirements make it strong in the first place. But most of the websites you’ll visit probably recommend numbers, capital and lowercase letters, and possibly a random symbol or two. This was the recommendation of Bill Burr, who created those password guidelines while working for the National Institute of Standards and Technology back in 2003.
Now, almost 15 years later, Burr finally admits he made a mistake. In an interview with the Wall Street Journal, Burr expressed his regrets for giving advice on password requirements he now realises was flawed.
The actual problem
The problem isn’t that passwords with random numbers and symbols in them aren’t secure. They can be, especially if a random password generator is used to create secure passwords. The problem is that humans suck at remembering passwords filled with random numbers and symbols. So, what do they do? Well, they typically create simpler passwords that are easier to guess.
If you’ve ever had to come up with a “secure” password, you probably did the same thing as almost everyone else—pick the first word that comes to mind and substitute a few numbers and symbols for letters. An O becomes a zero, a 1 becomes an exclamation point, and now you have what looks like an impossible-to-crack password.
But you’re not the only one doing this, which means that hackers routinely try to guess these common substitutions. These simple instructions double as a handy guide for attack by password crackers. Ironically, Burr’s password security guidance actually ended up making passwords less secure.
Not the basic password requirements
Burr’s admission comes at a time when “secure password advice” is becoming mostly irrelevant. There are several services like LastPass and OnePass that will generate secure passwords for you and remember them so you don’t have to. And hopefully in a few years we’ll have replaced passwords entirely with some other sort of tech all together.
Of course, all of this is pointless if you don’t care about having a strong password in the first place.
This article was originally written for and published by Popular Mechanics USA.