Everything you know about passwords is wrong


Was it m@nk3yP@$$w01rd or m0nk3yp@ssw0!rd?


For 20 years, the standard advice for creating a “strong” password that is hard to crack has been to use a mix of letters, numbers and symbols.

It’s so ingrained that when you go to create a new email account you’ll frequently get praising or finger-wagging feedback from the computer on how well your secret code adheres to these guidelines.

And you’re supposed to change it every 90 days.

Now, the man who laid down these widely followed rules says he got it all wrong.

“Much of what I did I now regret," Bill Burr, a 72-year-old retired former manager at the National Institute of Standards and Technology told the Wall Street Journal.

In 2003, the then-mid-level NIST manager was tasked with the job of setting rules for effective passwords. Without much to go on he sourced a whitepaper written in the 1980s. The rules his agency published ended up becoming the go-to guides for major institutions and large companies.

The result is that people create odd-looking passwords and then have to write them down, which is of course less secure than something you can memorize. Users also lean on common substitutions, like “zeroes” for the letter O, which a smart hacker could program their password cracker to look for. Or they pick one “base” password that they can memorize and only change a single number. That’s also not as safe.

“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr said.

The new password guidelines are both easier to remember, and harder to guess. The NIST’s revised tips say users should pick a string of simple English words — and only be forced to change them if there’s been evidence of a security break-in.

Not only did the old password format frustrate users, it wasn’t even the best way to keep hackers at bay.

For instance, “Tr0ub4dor&3” could take just three days to crack, according to one viral comic whose assertions have been verified by security researchers, while “CorrectHorseBatteryStaple” could take 550 years.


Yeah, I read this yesterday. I am afraid that I am guilty of using letter number combinations in this way. Except for my most serious passwords for banking and other financial stuff which are kept on a secure flash drive. The password for the drive is a particular long sentence that both my wife and I know. The habits of creating easily rememberable passwords with letters and numbers is little different than creating words with Caps and small letters… its pretty easy when you know that someone will likely substitution a ’ 3 ’ for and ’ E ’ and a ’ 1 ’ for an ’ I '…


Now I know why all of my Bitcoin wallet passphrases are really long strings of common words. I thought for some reason that was less secure. Guess not.


My passwords usually consist of a core i.e. “fuckyouhackers” follwed by a symbol i.e. “@” and some numbers, but at the beginning i put the site the password is used on, so for example if i was on my youtube


so each of my password is different when they are essentially the same.


That seems like a good concept. I really am not that scared of it all. I don’t have millions to steal, plus it is all “protected” from me being responsible. And my social media, well NO ONE, wants to be me…
As a comedian once said, “If someone robs me - the are just practicing” :slight_smile:


Well the thing is, I dont have much to lose but if i do lose them, I cant afford rent and school and utilities. If you hit the big bank you make it big but you also gain notoriety. If you hit small little banks, and many of them without much visibility, youre set a long run.