The gentleman who had us all changing passwords frequently and using odd character sequences now has regrets.
According to The Wall Street Journal, the security expert now believes “he blew it” back in 2003, when he published an eight-page primer, advising “people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers — and to change them regularly.”
In a Page One feature with a clever headline, “The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!,” the expert, Bill Burr, says, “Much of what I did I now regret.”
His advice in “NIST Special Publication 800-63. Appendix A” is largely incorrect, he tells The Journal. Indeed, the paper reports, “In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments.”
Gone is the advice to change your password every 90 days and the requirement for “obscure characters, capital letters and numbers.”
Roman V. Yampolskiy, director of the University of Louisville’s Cyber Security Laboratory, agrees with the new guidelines, writing in an email exchange, “Completely agree that forcing users to periodically change passwords is not a good idea.”
Instead, he recommends using a password management software such as Password Safe (pwsafe.org), which will both generate and store very secure passwords for you. The database is encrypted, he says, and you only need to know one passphrase to get access.
Password Safe, an open source site, reminds users that “Security starts with you.”
“Keeping written lists of passwords on scraps of paper, or in a text document on your desktop is unsafe and is easily viewed by prying eyes (both cyber-based and human),” Password Safe said, adding: “Using the same password over and over again across a wide spectrum of systems and websites creates the nightmare scenario where once someone has figured out one password, they have figured out all your passwords and now have access to every part of your life (system, e-mail, retail, financial, work).”
If you use multiple machines, Yampolskiy adds, you can synchronize your password database via a cloud service like Google drive. “I would recommend not trying to remember all your passwords as it is impossible to do if they are really secure.”
For those looking for a handy app, Digital Trends ranked some of the best password manager apps including LastPass, Dashlane and 1Password.