Blog

Are Security Experts Wrong About Passwords?

Posted Jul 15, 2019

For years now we’ve been educated on the importance of ‘strong’ passwords to protect our sensitive information and accounts, as well as what constitutes a strong password.

For years now we’ve been educated on the importance of ‘strong’ passwords to protect our sensitive information and accounts, as well as what constitutes a strong password. When creating a password, you must include both letters and numbers—with at least one of those letters capitalized—to help ensure your privacy. Be sure to include a special character as well, we’re urged, while avoiding personally-identifiable information, such as your date of birth or child’s name. In addition to utilizing strong passwords, we’re discouraged from using the same password for multiple accounts or platforms. We’ve also been directed to change our passwords regularly. All of these recommendations are necessary to protect us from financial fraud and identify theft. Or so we’ve been told. But, is this a) accurate, or b) practical?

While creating long, complex passwords won’t in and of itself do you any harm, the reality is this practice can lead to problems that will undermine security. For starters, complicated passwords are difficult to remember, which inevitably leads to bad digital habits such as resorting to predictable password patterns, inappropriately reusing passwords, or writing down passwords. All of these practices create security vulnerabilities. Former National Institute of Standards and Technology manager, Bill Burr—an expert considered to have ‘written the book’ on password management—now believes his advice to create strong passwords is misguided. According to Burr, they lead to lazy mistakes and easy-to-predict strings of characters and numbers that can be exploited by hackers and malicious algorithms.

The practice of changing passwords regularly results in similar outcomes. Changing them every several weeks or months (as we were told was in our best interest) typically results in people resorting to easy-to-crack passwords. To comply with this directive, many people simply change the last character of the string every now and then to the next item in the sequence; for example, modifying the password from ‘ABCDEF1’ to ‘ABCDEF2’. Regularly changing your passwords is not harmful in and of itself; however, doing so tends to lead us to create ones that are hardly ideal.

So, what should be considered as the best practice when it comes to creating a secure password? According to Burr, we should utilize passphrases rather than passwords. Rather than a string of letters, numbers, and special characters, use a phrase that’s easy for you to remember. Or even a full sentence. For example, something such as ‘Thank_God_It’s_Friday’ is complex enough while remaining easy to remember. And, only change this passphrase if your platforms have been put at risk by a data breach or other vulnerability. By employing this strategy, you’ll create strong-enough passwords that are easy to remember without falling victim to bad or lazy habits.