logo

09 August 2017

Sorry, but you’re doing your pa$$w0rds all wrong

Wait, was it a "1" or a "!"?
Wait, was it a “1” or a “!”?

Image: Ambar Del Moral/mashable

Maintaining a set of strong, unique passwords is tough work these days — and yet it’s never been more important. With so much time spent online, keeping digital ne’er-do-wells out of our accounts is a basic prerequisite for making it through the day. 

But here’s the thing: It turns out that the “strong” password requirements we’ve all come to know aren’t actually helping. In fact, they may be doing more harm than good. 

This news was first brought to our attention in May when experts at the National Institute of Standards and Technology (NIST) issued a draft report challenging many of our long-held assumptions about what makes a good password (what it calls a “memorized secret”). That draft was finalized in June, and it provides a comprehensive list of do’s and don’ts when it comes to password hygiene.

And while that NIST recommendation keeps some of the old favorites, it also packs a few surprises. 

The do’s:

  • Make your password at least 8 characters long. We knew this one already, and the basic advice to avoid short passwords hasn’t changed. “Passwords that are too short yield to brute force attacks as well as to dictionary attacks using words and commonly chosen passwords,” the NIST guidelines remind us

  • Consider making it even longer. Have you ever had a password rejected because it was too long? Yeah, that’s a bonkers thing that happens sometimes. The folks at NIST want to change that, and say that service providers should allow passwords of up to 64-characters in length. Take advantage of this and choose long passphrases to protect your accounts.  

  • Keep your password as long as you’d like (within reason). Say goodbye to forced password resets every 90 days or so. Haven’t been notified of a breach, or clinked on any shady links? Feel free to keep your password as it. Things get weird? Well then that’s when you should change your password. 

  • Use a password manager. Password managers, like LastPass, allow you to have robust and unique passwords for each and every site. Use one — it’s worth it. 

They'll never know...

They’ll never know…

Image: designer491/Getty Images

The don’ts:

  • Throw out those special characters. Forget all the @’s, $’s, and &’s that you’ve come to accept as standard password requirements. You don’t need those anymore. They just make it harder to remember your actual password, and they don’t actually make it stronger. 

  • Get rid of password hints. Password hints are trouble, as they make it easier for a stranger to guess their way into your account. Don’t use them.

  • Stop it with the password reset questions. Answers to questions like “what was the name of your first pet” are hardly state secrets, and yet that’s all some services require for a password reset. Skip these. 

  • Avoid the “1234567” trap. Stay away from what NIST refers to as “repetitive or sequential characters.” That means your password of “ffffffff” has to go, too. 

  • Making your password the name of the service? Yeah, no. If the password for your Gmail account is “yournameGmail” then you’re doing it wrong. Don’t put the name of the service, your name, or any derivation thereof in your password. Got it?

Following this advice will benefit you in two ways, both by making it easier to remember your passwords and making them stronger. It’s a rare and wonderful thing when taking your medicine actually tastes good, and yet that’s the exact situation here. 

So embrace the new NIST guidelines, because when it comes to digital security they’re the rare bit of good news. 

Https%3a%2f%2fblueprint api production.s3.amazonaws.com%2fuploads%2fvideo uploaders%2fdistribution thumb%2fimage%2f80316%2ff500b367 c74e 4fa7 97cd cde8f19f3003

Please follow and like us:

Share
#

Write a comment

2+7 = ?