Most of us have probably heard the theory that the best way to keep your online information secure is to use complicated passwords filled with random numbers, letters and symbols, as opposed to something lame like “password123” or something else that’s easy to remember.
But the man who came up with these guidelines now says he got it wrong, and that using a random string of characters probably won’t help keep your data safer from hackers.
Bill Burr created the guidelines back in 2003, saying that by making passwords more complicated it would make it harder for hackers to guess them or crack them using software. However, Burr now admits he’s gotten it wrong, and says that these kinds of combinations may actually make computer systems less secure.
Burr told the Wall Street Journal in an interview this week that complex passwords haven’t improved security. The problem, he says, is that users instead use the same complex password repeatedly on different websites and systems, because they’re not able to remember multiple passwords. In addition, people often write these passwords down on sticky notes and attach them to their desks or computer screens, which is obviously not a good practice.
In addition, Burr says that due to the sophisticated nature of the tools used by hackers, adding numbers and symbols to your passwords does nothing to make them harder to crack.
“Much of what I did, I now regret,” said the now retired Burr. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Burr even admits that his advice that we should regularly change our passwords was also mistaken. That’s because most people do so by altering just a single character, which will not deter hackers, he says.
The National Institute for Science and Technology has now updated its password guidance in light of Barr’s admission. Now, it advises people to use long but easy to remember “pass phrases”, which is a string of words (without spaces) that can easily be remembered but not so easily guessed. For example, a pass phrase such as “mikeisthebestwriterintheworld” would take much longer to hack than a shorter password containing symbols, such as “[email protected]#”
It’s also worth pointing out that we no longer have to rely on passwords alone. For really important data, it’s always best to enable two-factor authentication, which involves sending an SMS to your phone to verify your login.