If the man who invented those pesky password rules himself says that he might have made a mistake, then you should think twice about all those password management that you’ve gotten used to following. Bill Burr, the author of the “NIST Special Publication 800-63. Appendix A” which was basically a primer on how to protect your online accounts, says that he now regrets most of what he did. That’s because recent security developments have proven that the rules were not effective in preventing hacking and online fraud.
Up to now, most of us follow his playbook pretty religiously. Some of these include regularly changing your password every 90 days and using obscure numbers, characters, capital letters, etc. When he was working for the National Institute of Standards and Technology and after he created this recommendation guide, it became the sort of sacred text for a lot of federal agencies, schools, and private companies. And until now, we get password prompts in certain websites where we should include at least one capital letter and symbol, etc.
When the NIST tried to do a long overdue re-write of the so-called “password commandments” they realized that most of what is there and what we know is very much outdated. All these rules had a “negative impact on usability,” according to Paul Grassi, who led the team to create the new guidelines that are now being disseminated to the rest of the world. What they’re recommending now is to use long but easy-to-remember phrases as your password and only change them if there are any signs that they may have been stolen and you’ve been hacked.
These aren’t just hypotheses or arbitrary rules that they came up with but have been proven not just by academicians but also tech security experts. It will be harder for nefarious individuals and groups to hack into accounts where a long string of words have been used rather than a “code” which almost always includes important dates and numbers or just slight variances from their previous password.
SOURCE: Wall Street Journal
