Why Your 'Strong' Password Isn't That Strong

  • Why Your 'Strong' Password Isn't That Strong

Why Your 'Strong' Password Isn't That Strong

Gerhard says: "The other thing people will do is use the same password everywhere, which is a really, really bad idea".

You know the drill: make a password with a hodgepodge of special characters, numbers, and letters, then change it periodically - or just ignore change alerts until a hacking scandal suddenly arises. Use different passwords on every website.

But, they are wrong.


"Many people have noticed who traveled a little bit that Google will actually check who you are if you just move outside the area that you are in", he explained. The government does not protect unclassified systems the same way it does Top Secret infrastructure, and neither should you. Of course, multi-factor authentication can also augment security when appropriate and available.

While working for the National Institute of Standards and Technology in 2003, Bill Burr wrote "NIST Special Publication 800-63".

Grassi's advice is to use longer, but easier to remember, "passphrases". Users also lean on common substitutions, like "zeroes" for the letter O, which a smart hacker could program their password cracker to look for.

The complicated and easily forgotten password filled with random numbers and symbols is the bane of many office workers' lives.

"In any event, people wound up with a bunch of fairly complicated rules as a result of that, and relatively short password change intervals in their systems, and I say the net result is to drive people insane and to get them to do dumb things, which don't improve their security at all", he said. The fact that we blindly follow rules created 15 years ago-before we knew much about cybersecurity and the dangers we face today-is simply irresponsible.

"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess", he wrote.

Some phones have built-in software to manage passwords.

It would be nice if legitimate businesses never asked people their passwords over the phone; but, some do so on a regular basis. Despite most of the advice in Special Publication 800-63 being off-base or outright wrong, the password rules within its pages became IT canon and remained so for nearly 15 years. He was not a security expert, and the 72-year-old bureaucrat is now apologising for what he has done.

It said at the time that overly complex passwords is often more of a hindrance than a help. However, these types of recommendations are usually implemented as best practices for security.

Mr Burr also suggested that people should change their passwords regularly and at least every 90 days. Are you planning on changing your company password policy?

Do all those numbers and punctuation marks in your passwords actually make them stronger?

Yes, creating a password can be a headache.