The Real Rules for Strong Computer Passwords Go Against Everything You've Been Told

Everybody knows the rules to writing a password: you have to use upper and lowercase letters, a number or two, and preferably a symbol, if you want to be really secure. That rule came from a man named Bill Burr, and in 2017, he took it all back. That's not the way to make a secure password, he says. In fact, it's led most of us to make our passwords even easier to crack.

Related Video: 4 Tips to Create a Strong Password

An Annoying Rule That Was Always Wrong

The uppercase/numbers/symbols rule came from a 2003 report from the National Institute of Standards and Technology (NIST), where Burr was a manager, with the poetic title "NIST Special Publication 800-63. Appendix A." Every time you sign up for a new account on a website and get a prompt to create a password that includes "lowercase letters, uppercase letters, and non-alphabetic symbols," you're using the rules laid out in that report. Recommendations to avoid dictionary words and to change your password every 90 days? Those came from Burr's report too.

Unfortunately, in 2003, there wasn't much data on what made a strong password — he was left to rely on a white paper written in the '80s. "Much of what I did I now regret," Burr told the Wall Street Journal.

Here's the problem: Passwords written with numbers and symbols are hard to remember, so people make them shorter in order to keep them memorable. But when it comes to password security, length is more important than complexity. According to InfoSec Institute, a 16-character password made up of just numbers is just as difficult to crack as an eight-character password that uses any possible characters, even though the former uses a character set of 10 (0–9) and the latter uses a set of 94.

That rule to create new passwords every 90 days is no good, either. Constantly having to memorize a new password makes people go for memorability over length and complexity, which is bad news for password security.

The Right Way

It's not every day that a webcomic is cited as evidence for overturning an established rule, but that's just what happened in the Wall Street Journal's 2017 interview with Burr (but to be fair, xkcd isn't your average webcomic). "In a widely circulated piece," WSJ computer-security columnist Robert McMillan wrote, "cartoonist Randall Munroe calculated it would take 550 years to crack the password 'correct horse battery staple,' all written as one word. The password Tr0ub4dor&3 (a typical example of a password using Mr. Burr's old rules) could be cracked in three days, according to Mr. Munroe's calculations, which have been verified by computer-security specialists."

NIST's rewritten rules are in the works, and even once they're published, most password-protected websites will probably be slow to catch on. But even though you may be required to use the old rules, you can still create a long, strong password that just happens to include a mix of upper and lowercase letters and a numeral or two.

Even better, you can use a password manager. Services like 1Password and LastPass store all of your account passwords behind one extra-long super password, and make them available to you through a variety of desktop programs, mobile apps, and browser add-ons. Many also help you create a different, super-secure password for each of your accounts. Because they keep you from needing to remember all of your passwords, you're more likely to choose something secure over something memorable — and your online security will be better for it.

Get stories like this one in your inbox each morning. Sign up for our daily email here.

Worried about identity theft? LifeLock constantly monitors your credit and other threats to your identity and immediately alerts you if something comes up. If your identity is stolen, they'll assign an identity restoration specialist to crack the case. Use this affiliate link to get 10% off of LifeLock for the first year. 

Written by Ashley Hamer August 10, 2017

Curiosity uses cookies to improve site performance, for analytics and for advertising. By continuing to use our site, you accept our use of cookies, our Privacy Policy and Terms of Use.