If you’re like me, you’ve spent at least a little time worrying about the security of your data. About someone hacking your bank account, or Facebook! And we’ve been taught that the best way to secure our accounts is by using strong passwords. You know – those passwords that include capital letters, numbers and characters all in one word. And as if that’s not enough, we need to change these crazy passwords regularly. Who made these rules?
It was this guy called Bill Burr. He wrote a report on password management in 2003 for the US National Institute of Standards and Technology and somehow, we all came to follow the rules that he set. Thanks a lot, Bill. According to The Wall Street Journal, Bill has since realised that his advice turned out to be largely incorrect.
As it happens, when you force people to change their password every 90 days, they tend to make only minor changes (like adding an exclamation mark) that are easy to guess, and easy pickings for hackers. Requiring a number, an uppercase and lowercase letter and a special character do very little to stop a cyber criminal. And while these rules didn’t do much for security, it had a negative impact on usability. Go figure.

So, what’s the new $tr0nG P@$$w0Rd?

Long, easy-to-remember phrases. According to academics who have studied passwords, using a series of four words can be harder for hackers to crack than the ‘traditional’ strong password. Many letters are more difficult than a smaller number of letters, numbers and characters. For example, it would take 550 years to crack the password “correct horse battery staple” all written as one word, and only 3 days to crack “Tr0ub4dor&3”. Check out the cartoon by Randall Munroe about this here.
I’m excited to go through the process of updating all my passwords to long fun passphrases, currently I’m playing with ‘mytanniesekoeksuster’ as my new Facebook password. What do you think about that?