Users Misled by Bad Password Advice

PaulRubens - August 9, 2017 - 12:29 PM

Users Misled by Bad Password Advice

A security expert has admitted that much of his advice given out in the past about passwords is wrong.

(CCM) — Much of the password advice given out over the last 16 years is just plain wrong, the author of a guide to computer passwords has admitted. Bill Burr wrote the guide in 2003, and it was distributed to companies and other organizations by the U.S. government's National Institute of Standards and Technology (NIST), according to a BBC report. In it he recommended that users change their passwords at least every 90 days and substitute numbers and symbols for letters in words to create passwords like "1n$ecure".

But security experts now recommend that users do not change their passwords frequently because remembering them becomes too difficult. In practice this tends to result in users making simple modifications to their password, such as changing "1ns$ecure1" to "1ns$ecure2". These changes are easy to guess and add little in terms of security.

It has also been shown that passwords made up of simple words with common substitutions (such as "1" for "i" or "$" for "s") are far easier for hackers to guess than "passphrases" — a made up combination of words, such as "farewellactually."

Many experts also recommend that people use password manager programs, which can store passwords securely and enter them when needed automatically after the user supplies a single "master password."

Image: © ymgerman -

Add comment


Leave a comment