The Wall Street Journal published a fun article yesterday by Robert McMillan, cutely entitled "The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!".
Here's part of the article:
Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.
Amy LaMere had long suspected she was wasting her time with the hour a month it takes to keep track of the hundreds of passwords she has to juggle for her job as a client-resources manager with a trade-show-display company in Minneapolis. "The rules make it harder for you to remember what your password is,” she said. “Then you have to reset it and it just makes it take longer."
When informed that password advice is changing, however, she wasn’t outraged. Instead, she said it just made her feel better. "I’m right," she said of the previous rules. "It just doesn’t make sense."
Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters— since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.
It's an enjoyable article, but what it fails to tackle is one of the central challenges for all of us who use passwords. No, not the challenge of generating a memorable but hard-to-crack password. The challenge is how are we going to do that over and over and over again.
Because the simple truth is that we need a lot of passwords to run our online life (I have over 1000), and security experts tell us that it's a very bad idea to reuse the same passwords in different places.
The problem with all advice about how to concoct passwords is that it simply doesn't scale to deal with our need to have oodles of different passwords.
It's all very well educating the public how to make a decent password if they only have one, two or three passwords to remember... but what happens when they go on the internet, and start needing new passwords faster than a one-legged man in a butt-kicking competition?
I've been on the internet for almost 30 years and, like I said, have well over 1000 different passwords. There's no way I can remember them all. It's this problem which makes people keep choosing dumb, easy-to-guess passwords or (worse) reuse the same passwords over and over again.
The only sensible advice is to use password management software that generates long, complex passwords for you... and then stores them securely for you. Meaning that you - with your puny human brain - don't have to attempt to remember them.
Do that, and you won't have to remember your passwords, and you won't have to remember your secure method of making up passwords. You now have a program that does it for you.
Oh, and by the way, I agree with NIST's advice that users should be forced to change their passwords only if there is a risk that they have been breached, for reasons I have previously described.
For further discussion on passwords, make sure to listen to this episode of the "Smashing Security" podcast:Audio podcast: iTunes | Google Play | Overcast | Stitcher | RSS for you nerds.