What Makes A Good Computer Password? (Probably Not What You've Been Told)

Everybody knows the rules to writing a password: you have to use upper and lowercase letters, a number or two, and preferably a symbol, if you want to be really secure. That rule came from a man named Bill Burr, and in 2017, he took it all back. That's not the way to make a secure password, he says. In fact, it's led most of us to make our passwords even easier to crack.

An Annoying Rule That Was Always Wrong

The uppercase/numbers/symbols rule came from a 2003 report from the National Institute of Standards and Technology (NIST), where Burr was a manager, with the poetic title "NIST Special Publication 800-63. Appendix A." Every time you sign up for a new account on a website and get a prompt to create a password that includes "lowercase letters, uppercase letters, and non-alphabetic symbols," you're using the rules laid out in that report. Recommendations to avoid dictionary words and to change your password every 90 days? Those came from Burr's report too.

Unfortunately, in 2003, there wasn't much data on what made a strong password — he was left to rely on a white paper written in the '80s. "Much of what I did I now regret," Burr told the Wall Street Journal.

Here's the problem: passwords written with numbers and symbols are hard to remember, so people make them shorter in order to keep them memorable. But when it comes to password security, length is more important than complexity. According to InfoSec Institute, a 16-character password made up of just numbers is just as difficult to crack as an eight-character password that uses any possible characters, even though the former uses a character set of 10 (0–9) and the latter uses a set of 94.

That rule to create new passwords every 90 days is no good, either. Constantly having to memorize a new password makes people go for memorability over length and complexity, which is bad news for password security.

The Right Way

It's not every day that a webcomic is cited as evidence for overturning an established rule, but that's just what happened in the Wall Street Journal's 2017 interview with Burr (but to be fair, xkcd isn't your average webcomic). "In a widely circulated piece," WSJ computer-security columnist Robert McMillan wrote, "cartoonist Randall Munroe calculated it would take 550 years to crack the password 'correct horse battery staple,' all written as one word. The password Tr0ub4dor&3 (a typical example of a password using Mr. Burr's old rules) could be cracked in three days, according to Mr. Munroe's calculations, which have been verified by computer-security specialists."

NIST's rewritten rules are in the works, and even once they're published, most password-protected websites will probably be slow to catch on. But even though you may be required to use the old rules, you can still create a long, strong password that just happens to include a mix of upper and lowercase letters and a numeral or two. Even better, you can use a password manager. Services like 1Password and LastPass store all of your account passwords behind one extra-long super password, and make them available to you through a variety of desktop programs, mobile apps, and browser add-ons. Many also help you create a different, super-secure password for each of your accounts. Because they keep you from needing to remember all of your passwords, you're more likely to choose something secure over something memorable — and your online security will be better for it.

Want to learn more about protecting your information online? Listen to our conversation with the deputy chief of research at the Army Cyber Institute on the Curiosity Podcast. Stream or download the episode using the player below, or find it everywhere podcasts are found, including iTunes, Stitcher, SoundCloud, and Gretta.

How to Choose a Password

Share the knowledge!
Written by Ashley Hamer August 10, 2017