I’ve got good news and bad news.
The good news is, you don’t have to use whacky characters in your passwords anymore.
The bad news is, you wasted a lot of time using them for the past fourteen years.
It all started with a guy named Bill Burr, who was a manager at the National Institute of Standards and Technology when he wrote a groundbreaking, very clever and influential document entitled “NIST Special Publication 800-63. Appendix A.” (It’s a wonder no one’s ever written a song based on that title.)
In that document, he suggested that people create passwords using a mixture of upper and lower case letters, numbers and obscure characters like the ones in the title of this column. This, of course, made perfect sense, since “@hg*!$/” is obviously a lot harder to guess than “mydogfido.”
Except, it really isn’t. It’s about 10,000 times easier. Because, in the case of choosing passwords, size matters. In fact, it’s the only thing that does.
If you’re a human being trying to guess someone’s password, you’ve got about ten or twenty tries before you get locked out. Even if you don’t get locked out, you might get through a couple of hundred guesses in an hour if you’re patient and methodical.
Using standard keyboard characters — there are roughly 100 — only three characters are needed to make 10,000 different passwords. So unless you get lucky because the password you’re trying to guess is someone’s dog’s name or their birthdate or phone number, you’re just plain never going to get it.
This is why the only way to crack a password is using a computer, which can make millions of guesses per second. (Some of you are probably wondering, How is that possible when it takes me several seconds just to re-enter one password after I make a mistake? And what about getting locked out after ten or twenty tries? Good questions. The reason is that computer password guessing doesn’t work by entering a password and seeing if access is granted. In a later piece, we’ll talk about how it’s actually done.)
How long it takes to guess a password using “brute force” — running through all the possible combinations until you get a hit — is a function of how long the password is. It has nothing to do with which characters were used to construct the password. And even if you assume that there were no special characters, just the 62 upper and lower case letters and the digits 0 through 9, it doesn’t take advanced math to see how many combinations can be generated in an easily remembered password. Which brings us to the nub of the thesis here.
Suppose you construct an 11-character password according to Mr. Burr’s original guidelines, such as this: “Mht35$%!oi/”
A good-sized computer can crack it in three days.
But a password like “Jack Daniels. Not just for breakfast anymore?”
The universe will have evaporated before you’re done. That password is 100 percent secure against a brute force search (or at least it was until it was published here, so don’t use it.).
There are two rules when coming up with a password:
1. Make it easy to remember.
2. Make it hard to guess.
The “Jack Daniels” example above beats “Mht35$%!oi/” in both respects.
By the way. Mr. Burr himself recently acknowledged the folly of his original thesis, and feels a little bad about it. All is forgiven, but the problem we’re left with is that most websites still demand that you throw in some mixed-case letters, numbers and special characters, and it’s apparently going to be a while before they give in and just demand longer passwords instead.
Here’s what I recommend: Use long, easily remembered passwords, like “Hendrix Haydn Yanni Manilow” and prepend a string like “Aa!#” to the front of each one. Use the same string so you don’t forget it. It won’t matter: It’s the custom part that counts, and that should be different for each site you visit. For example:
Your bank: Aa!#Schatzi the wonder dog
Yelp: Aa!#Bada boom bada bing
Facebook: Aa!#Oh my aching back
Got it? Good. Now forget it.
Instead of entering passwords manually, I highly recommend using a password manager to generate and enter all of your passwords so you never have to memorize or even see one again. All you have to remember is the master password for the password manager and it does all the work for you.
I’ve been using LastPass for many years and it has saved countless hours of frustration and tedium. There are other respected ones, and the basic versions are either free or low cost. Some contain additional useful features, like automatic form filling so you don’t have to keep putting your name, address, phone number, credit card, etc., into different shopping sites. The software does it all for you.
But the heart of it is allowing you to use very secure passwords without the tedium and memorization of the “manual” method.
Oh, one other thing: You know the bit about changing your password every sixty or ninety days? Research has shown that this isn’t really necessary if you use secure passwords, unless you know that a site has been compromised.
Practicing safe computing is demanding enough. There’s no reason to make it even more so just to satisfy some “common sense” notions that don’t stand up to scrutiny.
Lee Gruenfeld is a managing partner of Cholawsky and Gruenfeld Advisory, as well as a principal with the TechPar Group in New York, a boutique consulting firm consisting exclusively of former C-level executives and "Big Four" partners. He was vice president of strategic initiatives for Support.com, senior vice president and general manager of a SaaS division he created for a technology company in Las Vegas, national head of professional services for computing pioneer Tymshare, and a partner in the management consulting practice of Deloitte in New York and Los Angeles. Lee is also the award-winning author of fourteen critically-acclaimed, best-selling works of fiction and non-fiction. For more of his reports — Click Here Now.
© 2022 Newsmax. All rights reserved.