It’s not easy to admit to getting it wrong, but that’s what Bill Burr did in a recent interview with the Wall Street Journal. Back in 2003, as an advisor for the American National Institute of Standards and Technology (NIST), Burr recommended irregular capitalisation, special characters and numerals in our passwords; such as wHyWeN3edP4s5w0rd5. Burr also recommended passwords change every 90 days,

Now, however, that advice is regarded as outdated and potentially unsafe.

Patrick Shanley, Security Consultant at 2-sec says that Burr’s advice caused a lot of unforeseen challenges. “That advice led a lot of people to only slightly amend their original code e.g. c0rnfl@kes1; c0rnfl@kes2; c0rnflakes3, which made the passwords very easy to predict and break.  We also saw a lot of clients had stuck notes to their desk as no one could remember whether they were up to p@55w0rd45 or p@55w0rd46…”

Weak passwords, and their use across multiple places, are one of the commonest reasons for data breaches, and a strong password policy is essential to prevent account details being compromised.

GCHQ issued new advice telling people to stop resetting passwords, saying the “inconvenience it created outweighed any limited security benefits”.  They now advise that people use long but easy-to-remember “passphrases”, a sequence of words that do not need to feature special characters or numbers.

Anthony Webb, Consultant for 2-sec says “a string of unconnected, random words, such as “duvet jump vase” or “paper gin cat” are much easier to remember (who else is thinking of a tiny paper cat drinking gin?) and take a lot longer to crack than a string of characters and numbers.”.

What are the top password tips from 2-sec?

  • Don’t use any words that can be easily associated with where you live, have lived or even pets; social engineering can discover these easily.
  • Passwords should be a minimum of 8 characters, and ideally a mixture of two unconnected words.
  • Opt in to two-factor authentication on key email accounts so that an attacker can’t access your system even when they crack your password.
  • Don’t set a password policy that has rules on the composition (e.g. “your password must contain one upper case letter, one special character, one digit and a name of a pre-war Prime Minister”).
  • Don’t use password hints as recovery questions (e.g. “what’s my favourite food – rhymes with hurry”)
  • Use a reputable password manager. It’ll do the job of creating and remembering as many strong passwords as necessary.

Burr is now retired, and says “Much of what I did I now regret…In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”