Passwords need Caps, Special Characters, and Numbers. Wrong! According to NIST these are the strongest (and easiest to recall) passwords.

Everything We’ve Been Told About Passwords Is Wrong (According To The Person Who First Told Us)

Passwords need Caps, Special Characters, and Numbers. Wrong! According to NIST these are the strongest (and easiest to recall) passwords.

Staff Writer

There are times when you just know something is not right, but convincing the rest of the world can take some time. For example, the innovation–ahem, insanity–that has become the norm for password conventions.

I’ve often wondered if the people who come up with the ridiculous lists of password requirements are trying to exact vengeance on the world for some horrible childhood trauma they suffered.

Here’s a magnificent example of one of those lists, taken directly off of the Attorney General of Texas Child Support site (No, I’m not paying child support in Texas.)

1. The password must be exactly 8 characters long.

2. It must contain at least one letter, one number, and one of the following special characters.

3. The only special characters allowed are: @ # $

4. A special character must not be located in the first or last position.

5. Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed. Example: rr, tt

6. Avoid using names, such as your name, user ID, or the name of your company or employer.

7. Other words that cannot be used are Texas, child, and the months of the year.

8. A new password cannot be too similar to the previous password.

9. Example: previous password – abc#1234; unacceptable new password – acb$1243

10. Characters in the first, second, and third positions cannot be identical. (abc*****)

11. Characters in the second, third, and fourth positions cannot be identical. (*bc#****)

12. Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234)

13. The previous 8 passwords cannot be reused.

For those of you who, like me, have been driven b*t$h1t crazy by password requirements, such as these, I’ve got great news. You’ve been vindicated! According to an article in the Wall Street Journal Bill Burr at the National Institute of Standards, who in 2003 originally made the recommendation on which much of this is based, told the Journal, “Much of what I did I now regret.”

After years of cursing at the cyber lords it would be nice to have someone to blame. However, it really wasn’t Burr’s fault. According to how Burr recounts it in the article, at the time there wasn’t much, if anything, for him to go on. In fact the computer administrators at NIST pretty much shut him down cold when he asked to see their passwords so he could get some idea of what they were using.

Without any data about the current state of affairs Burr turned to a 1980 (yes, that’s not only pre Internet but pre-PC) white paper which he used to come up with his recommendations.

Burr’s suggested password requirements, which included the use of capitals, numbers, and special characters, soon found their way into every nook and cranny of the Internet. And you and I have since cursed the insanity of it all on a daily basis.

NIST has rewritten the recommendations with a startling and very human-centric finding; the best password is a long memorable phrase of three words or more. For example, “puppies running on the beach.” Now, seriously, how could you ever forget that?

As it turns out, according to a a comic referenced in the article, a 44 letter lower case phrase of four words takes five millennia to crack versus only three days for a 28 character random string of letters, numbers, and special characters–never mind that you need a photographic memory to remember the latter.

Oh, and there’s one more thing; you know that requirement to change your password every 30/60/90 days? Yup, it’s wrong too.

So, to all of you who knew in your gut that there had to be a better way, you were right.

Like this column? Sign up to subscribe to email alerts and you’ll never miss a post.
The opinions expressed here by Inc.com columnists are their own, not those of Inc.com.

Read Next


Latest

Mubadala Tech Investments

Abu Dhabi’s Wealth Fund Ramps Up Tech Investments

Abu Dhabi's national wealth fund Mubadala is ramping up tech investments as part of its partnership with Japan's SoftBank, a key official from the firm revealed this week.According to Waleed al-Muhairi,  deputy group CEO... (contd.)
UAE tax launch

Post VAT, UAE Exploring New Taxes (No Income Tax, Though)

The United Arab Emirates (UAE) is considering introducing new taxes post the launch of the Value Addex Tax (VAT), the UAE Ministry of Finance has said.These taxes would be explored and implemented... (contd.)

Dubai’s Private Sector Is Inching Towards Steady Growth Again

Dubai's private sector showed a solid performance in November, recording a third consecutive month of growth apparently helped along by some new job creation as well.Retail is proving to be the most... (contd.)

UAE Retailers Are Being Warned Against Fudging Prices Ahead Of VAT

Inspectors are reportedly already monitoring retail prices ahead of the introduction of the VAT, which comes into force in the UAE on January 1, 2018.This means that retailers in Dubai who begin charging VAT... (contd.)
Challenging times demand resilience. This simple but powerful habit will help you cultivate it.

The Simple Morning and Evening Ritual That Will Give You Incredible Mental Strength

Think you're having a rough couple of days? (Or even a rough couple of years?) Then take a minute to consider what TEDxLehighRiver speaker Sarah Trimmer went through between 2011 and 2015:... (contd.)
- Advertisement -
Join Our Daily Newsletter
Sign up to get all the business news and intelligence that matters straight to your mailbox.
Join Our Newsletter !
Like This Article? Subscribe To Our Newsletter To Receive More Of Them Straight In Your Inbox
Contact Us.
Your Name
Email
Message
     
Thank you for your interest in Inc. Arabia. Please leave your contact details below, and we'll be in touch with you very soon.
Like This Article? Subscribe To Our Newsletter To Receive More Of Them Straight In Your Inbox