Don't change pa$$wØrds… I got it wrong, says IT expert

  • Don't change pa$$wØrds… I got it wrong, says IT expert

Don't change pa$$wØrds… I got it wrong, says IT expert

Blame the annoying rules about using uppercase letters and special characters and numbers to Burr.

You may want to rethink your strategy.

Nearly 15 years ago, while working at the National Institute of Standards and Technology (NIST), he wrote what would basically become the bible of password management: NIST Special Publication 800-63.

A password such as "thisroomsmellsliketerriblefarts" is better than one like "W9ob!R55".

Why is Burr changing his tune years later? In fact, he told the journal, the paper wasn't based on any real-world password data, but rather a paper written in the 1980s. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree".

In June, the NIST released new guidelines, which don't call for "special characters" or changing passwords frequently anymore.

Frequent changes in passwords, known as "transformations", were not effective either as users would often make minor changes like replacing the number 1 with a number 2. Computer-security specialists found this to be true.

Using biometric log-in methods, such as Apple's Touch ID and Samsung's iris-scanning technology, can also provide an additional layer of protection, as can two-factor authentication (entering additional codes from another device to prove it's you).

"We ended up starting from scratch, ' Mr. Grassi said, after finding that most of the previous rules 'actually had a negative impact on usability". For example, fishchipsmushypeas, would be much harder for botnets to guess than weak passwords littered with special characters. Instead of picking a short password that's hard to remember, making a long password is best. His section on passwords included instructions to fill them with numbers and characters and change them every three months. "And writing down a password is a very bad idea".

Morgan Slain, CEO of SplashData commented on the findings in a statement. What they're recommending now is to use long but easy-to-remember phrases as your password and only change them if there are any signs that they may have been stolen and you've been hacked.

We have all seen the message.

Coming up with a new password is probably one of the most mundane and annoying things a person has to do in their everyday life.

Creating a new password for an online account or app is an exercise in pure frustration.