The origin of this practice can be traced back to a password primer written by a man named Bill Burr in 2003 when he was a manager at the National Institute of Standards and Technology (NIST). He’s the reason I’ve sometimes had passwords based on whatever was in my line of sight at the time of the change (like Stapl3r2015!) and sometimes had password themes like colors+date (like Red!20160310, Blue!20160608, Yellow!20160906).
Fun, right? Okay, maybe not. Changing passwords all the time can be annoying, especially when you change one on a Friday and forget it by Monday, or when you need to go through several tries before landing on something you can remember that’s still different enough from previous passwords. And there are a lot of arguments for why the practice of frequently changing passwords isn’t even that great for security – not the least of which is the habit many people have of writing new passwords down on scraps of paper they leave at their desks as a reference.
So… I was excited to read this week that Mr. Burr recently announced he regrets his advice and that the NIST has released new guidelines that disregard much of what we have been accustomed to for the past 14 years. Among other changes, the new guidelines suggest screening against commonly used or compromised passwords instead of forcing them to fit certain formats. That makes a lot more sense to me – nobody should be able to use something like “Password1!” in a system that’s trying to be secure just because it has the right combination of capitals and special characters!
It will be interesting to see how sites and companies start to integrate these new best practices into their operations – but I’m hoping it won’t mean having to change my current passwords too much!
- “The man who put us through password hell regrets everything” – from Engadget (8/8/17)
- “Man Responsible for Strong Password Requirements Regrets His 2003 Guidelines” – from Digital Trends (8/9/17)
- “The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!” – from The Wall Street Journal (8/7/17)