We’ve all heard it for at least a decade: passwords should have at least one uppercase letter, one symbol, and one number. That’ll make them secure and hard for someone to guess, right? Well, that’s not entirely false, it will make it hard for someone to guess, but these techniques can actually make guessing your password easier for a machine. Setting these arbitrary limits seems like it’s there to help us, but in truth, most of us use EXACTLY one uppercase letter, one symbol, and one number. There are statistics on the locations of these characters in most passwords, and with this knowledge, it makes writing and running a piece of code to crack passwords even easier. This isn’t the only issue with these sorts of passwords, as I mentioned before, they are often much harder for users to remember as well—making it a nightmare to juggle the average user’s 20+ passwords without forgetting them from time to time.
This isn’t to say that numbers, capitals, and symbols don’t increase the strength of your password (and you should totally use them where it makes sense to), but this isn’t where the majority of your password strength comes from. Bill Burr, a former National Institute of Standards and Technology manager and the original password “authority,” wrote a document titled “NIST Special Publication 800-63. Appendix A”. The article advised these rules we’ve all come to know and
love loathe. Then, in an interview with The Wall Street Journal over a decade later, he came out and said that these rules were “misguided.” Burr didn’t lead us to passwords that are easy to crack, rather he steered us toward lazy mistakes and easy-to-predict practices, which makes for easy password cracking. A popular xkcd comic published in 2011 poked a hole in this logic by pointing out how these common password practices create passwords that are exponentially easier to crack, versus using a passphrase.
Passphrases are intimidating at first, but once you understand the logic behind using them, it all becomes a lot clearer. A passphrase should be an obscure and probably unintelligible string of words that embody human randomness, making them easier to remember for people, but significantly harder for a machine to make sense of. The example used in the xkcd comic mentioned above is “correcthorsebatterystaple”. These words, in the context of the human language, will probably NEVER be used to form a complete, coherent thought, which is why it makes an excellent passphrase. Plus, in the time it took to come up with the proper words to reach the desired character count (sources recommend a minimum of 24 characters), you’ve probably already begun/finished memorizing your new passphrase. Taking the ideas of passphrases, and incorporating the old rules, you might end up with something like “CorrectHorseBattery5taple”—a significantly more secure password.
Now, that’s not to say that passphrases are necessarily the best passwords or the only ones you should be using. In a time where users have so many passwords to juggle, there are also several different password managers out there that take the hard work out of generating passwords. Services like LastPass or Dashlane store logins for you, and they will automatically cycle them out on an interval so you always have a new, secure password. These passwords are cryptographically generated, so each password is as secure as possible, and you don’t need to remember any of them. Using a browser addon, these services usually allow for auto-fill of passwords as well, making the transition for you seamless and making logging into your favorite applications a breeze. These applications usually run between $0 and $10 dollars monthly, depending on the scope of your password management needs and are definitely worth looking into—not only does it make sure your information is secure, but it also keeps all of the information in one place, synced between all of your devices, for ease of access and peace of mind, no matter where you are.
Overall, we haven’t been steered in the wrong direction by any sense of the phrase when it comes to passwords, so much as the way we were taught made it easy for us, as users, to fall into consistent and easy-to-guess password generation. With these additional steps and ideas, you can ensure that you’re even more secure when you’re on the internet, protecting your valuable personal and professional data, and allowing for everyone involved to sleep a little bit easier. Passwords literally protect every account you have, the data they hold, and as such, we should always be striving to create and maintain the best, most secure passwords we can.