15 years later, the leading authority on password advice changes his mind
Earlier this week Bill Burr told the Wall Street Journal that he regretted much of the password advice he gave almost 15 years ago. Who’s Bill Burr? He’s the reason you’re required to come up with a new password every 90 days on some sites. And the one who suggested things like this: p@$$w0rD123!
Turns out, changing your password every 90 days makes passwords less secure. And replacing a=@ o=0 s=$ may not be as clever as you think. See, hackers and hacking algorithms are very aware of this trick and it’s very easy for them to bust these passwords.
So what should we do???
Making a complex (but easy to remember) password
Whenever a customer drops off their computer or phone at one of our stores, we ask for the password. We do this for testing purposes, to ensure device functionality both before and after the repair. However, collecting passwords from tens of thousands of different people has led me to notice something.
Almost everyone uses a weak password.
It’s understandable. Complex passwords are hard to remember and who has enough energy to commit a random number/letter combination to memory? Instead, almost every password I see is some version of a word, often with a number or two, and maybe an exclamation mark. Bunny21 or Timothy1986! – something like that. These passwords are fairly simple and easy to crack and we all know that.
We also know what a complex password looks like. It’s something like sO#tO32bEgO or LiTi7An&Be. These passwords avoid full words and look like keyboard gibberish so the common perception is they are difficult to memorize. But they don’t have to be.
Here’s the trick. Start with a phrase that means something to you. Now choose a number (one or multiple digits) and your favorite special character. Something like below:
Soon to be Gone – 32 – #
or
Lions Tigers and Bears – 7 – &
Now, take the first two letters from each word and combine them to make a single 8 character “word”. Then put the number and the special character in-between any of the two letter segments. So…
Soon to be Gone becomes sotobego and then so#to32bego
Lions Tigers and Bears becomes litianbe and then liti7an&be
Lastly, capitalize one letter from every two-letter segment. You can choose to capitalize either the first or last letter each time, or make it a bit more random which letters you capitalize. In my case, I chose to capitalize the second letter each time for the first password, and the first letter each time in the second password. The end result is:
sO#tO32bEgO and LiTi7An&Be
Both of these seem entirely random but are actually fairly easy to remember since they are based on a phrase with personal meaning. It can be a bit tricky to type at first, but you’ll remember this password more easily than you’d expect since you’ll remember how you created it. And you’ll also be surprised how quickly your fingers will develop muscle memory and learn to type the new password.
Another method
If you can use a longer password, another common technique is to create a phrase password. Something like:
Agavehorsecloudpooltoasterdrive
As it turns out, creating a long password adds hacking difficulty even if it’s made up of common English words (which typically makes a password less secure). Because the password is adequately long and the hackers can’t predict the length of any individual word, it’s pretty hard to crack.
The key is just to not use a phrase that means anything to you this time. Nothing from literature especially. Try this method to create your password using only a dice and a cheat sheet. The random roll of a dice will make your password nearly impenetrable!
Give it a try. Did this method work for you? We’d love to hear your feedback!