Was it m@nk3yP@$$w01rd or m0nk3yp@ssw0!rd?
For 20 years, the standard advice for creating a “strong” password that is hard to crack has been to use a mix of letters, numbers and symbols.
It’s so ingrained that when you go to create a new email account you’ll frequently get praising or finger-wagging feedback from the computer on how well your secret code adheres to these guidelines.
And you’re supposed to change it every 90 days.
Now, the man who laid down these widely followed rules says he got it all wrong.
“Much of what I did I now regret," Bill Burr, a 72-year-old retired former manager at the National Institute of Standards and Technology told the Wall Street Journal.
In 2003, the then-mid-level NIST manager was tasked with the job of setting rules for effective passwords. Without much to go on he sourced a whitepaper written in the 1980s. The rules his agency published ended up becoming the go-to guides for major institutions and large companies.
The result is that people create odd-looking passwords and then have to write them down, which is of course less secure than something you can memorize. Users also lean on common substitutions, like “zeroes” for the letter O, which a smart hacker could program their password cracker to look for. Or they pick one “base” password that they can memorize and only change a single number. That’s also not as safe.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr said.
The new password guidelines are both easier to remember, and harder to guess. The NIST’s revised tips say users should pick a string of simple English words — and only be forced to change them if there’s been evidence of a security break-in.
Not only did the old password format frustrate users, it wasn’t even the best way to keep hackers at bay.
For instance, “Tr0ub4dor&3” could take just three days to crack, according to one viral comic whose assertions have been verified by security researchers, while “CorrectHorseBatteryStaple” could take 550 years.