Don’t Change that Pa$$w0rd

So I feel like this is a discussion that needs to be had, mainly because of this article: Engadget: The man who put us through password hell regrets everything. There is just so much wrong with this article, I’ll try to take it idea by idea.

It is incredibly frustrating to constantly think of new passwords with a capital letter, a special character and numbers that isn’t a variation on your old password.

Start with the easiest one… This is solved in one link: DuckDuckGo: Search Results: password 32 strong. “But how am I go to remember 32 random characters for each service I use?” Don’t worry, I’ll get to that in a bit.

One revised recommendation is that IT departments should only force a password change when there’s been some kind of security breach. Otherwise the changes we make are often incremental;

I just find it astounding that this is a suggestion. In the case of a compromised account, is it really best practice to wait around & wait to see if an account is breached? I’m not saying that the typical 72 or 90 day period is much better, but it’s better than leaving the same password, in theory, forever.
As for the “incremental” reason: This has already been answered above. Generate a random password from DuckDuckGo.

Another recommendation is to favor long phrases, rather than short passwords with special characters. There should no longer be a requirement to have a certain mix of special characters, upper case letters and numbers for a password. It turns out that adding in these artificial password restrictions actually produced less secure passwords.

Some please explain to me, how “jfed@d%tDssVBL^^kfUpxiiwu&ty69J@” is less secure than ““Don’tcrybecauseit’sover,smilebecauseithappened.” I’m pretty sure an attacker is going to have some of the most popular book quotes as part of their wordlist. If users are going to pick a long phrase, it’s going to be something easy to remember, i.e.: A popular book quote… If an attacker has one of my passphrases in their word list, then congratulations, you deserve to get into the account.

You can read the full set of draft guidelines at NIST’s website, but this news should be music to the ears of anyone who’s struggled with passwords.

If it’s “music to your ears” then you should admit to yourself that you’re pretty lazy. These days, Password Managers are abundant & easy to use. PC Mag has an article with reviews of various Password Managers, many of them free, with a monthly \ yearly charge for additional features.

I view this admission of Bill Burr as a hit to security, more than anything else. For any readers that work in IT Security, you can likely see the discussion that’s coming… “I read that changing my password & special characters make it less secure…” which is definitely going to be a fun conversation.

EDIT:20170812-1051: And here is a Security Expert with the exact same suggestions…: Graham Cluley: N3v$r M1^d password rules. Get a password manager to generate and remember your passwords instead. Excerpt that perfectly sums up what I was trying to say, in case it wasn’t clear enough:

I’ve been on the internet for almost 30 years and, like I said, have well over 1000 different passwords. There’s no way I can remember them all. It’s this problem which makes people keep choosing dumb, easy-to-guess passwords or (worse) reuse the same passwords over and over again.

The only sensible advice is to use password management software that generates long, complex passwords for you… and then stores them securely for you. Meaning that you – with your puny human brain – don’t have to attempt to remember them.