The year was 2003 when former National Institute of Standards and Technology manager Bill Burr laid down the law on how people should create masterful passwords that would stand the test of time and be unbreakable for nefarious elements of the Internet.
His password advice for the masses was twofold and massively flawed.
Step 1: Use irregular capitalization, special characters, and at least one number to turn common phrases into harder-to-solve ones. An unfortunate example from 16 years ago was “P@ssW0rd123!” which is a play on password123, one of the most commonly recognized terrible choices for a password in the entire world.
Step 2: Change your passwords regularly, at least once every 90 days. Burr’s advice was written up in a very official sounding report called “NIST Special Publication 800-3. Appendix A” and adopted around the world by companies, colleges, governments, and individuals.
Burr’s Two Oversights
Burr’s first mistake was encouraging people to use known words with different permutations of replacement characters and irregular capitalization rules. Not only is it a bad idea to use variations of known words, but it results in lots of people using the exact same techniques, giving hackers the ability to guess certain predictive traits that can lead them to be able to guess lots of passwords with the same criteria.
The second mistake was the worse of the two. Picking one password at one time usually has a person giving their best effort because it’s the first time doing it. When 90 days have passed and it’s time for another password, the employee is likely to be busy doing lots of other things and is not nearly as interested in dedicating a lot of time and effort into picking another equally strong password. In fact, they are far more likely to just slightly alter their current password to make it easier to remember. For instance, if a junior employee Lily originally picks the password ‘IloveMonkeyz00” when she signed on to a new company, her most likely password replacement 90 days later is “IloveMonkeyz01”.
The Better Solution
Instead of trying to remember a series of complicated passwords for all of your online accounts, the best solution is to employ a password manager like Dashlane. Password managers take the memorization frustration out of your individual user accounts by loading all of those complicated passwords into one third-party vault that you control with one master password. The master password is formulated much like you want your individual passwords formulated. You take a series of words, characters, and numbers that are unique to you and would be very difficult for anyone else to guess. This is the only password you will have to remember for the duration of the time you use the Password Manager. Whenever you want to sign on to one of your other accounts, you’ll only need to remember the Master Password, which will in turn cue the vault to enter the correct user name and password for the individual site and open up your access.