If you are a long time listener of the podcast or maybe you just listened to our ‘Best Of Episode’ (If you haven’t you really should!) – you might remember this little bit of audio below where we talk about how silly it is to have to change your password every 60 days if you work for a large company or business.
Well, cut to a year and a bit later after we made these comments and the man responsible for the practise of having to change your password so often and use obscure characters ‘Bill Burr’ has come out to the Wall Street Journal and said he regrets much of the advice he put forward in his report. His suggestions and practises were adopted by most government bodies and large companies across the world, which is probably why you have to use special characters like ‘P@ssword!2’ and change your password every 60 days, which almost forces you to be lazy and just add a 1 or 2 to the end of the same password you’ve been using for years.
The only problem when he wrote the guidelines was the internet was such a young place, the report come out in 2003 so no one really knew what they were doing in terms of internet security so everyone took these guidelines as gospel. He even referenced some papers from the 80’s to help him with his report well before the internet was even a thing which goes to show how much anyone really understood about password security.
An updated version of the guidelines have been published and have done away with most of what Burr had originally suggested. The updated guidelines move away from suggesting to frequently change your password and getting rid of special characters, and instead suggests using long passphrases of random words for example “brownhorsemonkeyrain” or “snakeappletreetable” maybe not those exactly but you get the idea. Basically pick an easy to remember phrase of random words, never tell anyone, and your password will never have to be changed. That or just use a password manager like KeePass or LastPass and randomly generate all your passwords.
This all might be redundant anyway with the rise of 2-factor authentication requiring separate verification such as your mobile phone, email, region or IP to prove who you are on top of IP based login protection. If we move towards 2-factor authentication for everything, do we even need a secure password in the first place? Gabe Newell CEO of valve gave out his steam password in 2011 because without having access to his email or phone there is no way to even log into his account just by knowing the password alone.
How long it will take for all these businesses and companies to catch on that changing your password every 60 or 90 days is stupid is anyone’s guess… we have over 10 years of password methodology to get out of our brains. Sadly I just don’t see these outdated password practises going away anytime soon for your average company or internet sign up page so better start thinking of your next password now.