Create a free account, or log in

Oh cR4p: Father of best-practice password creation advice reveals his initial tips were all wrong

When crafting a new password, business owners and entrepreneurs likely put in varying levels of effort, ranging from the alarmingly common “password” or “12345678”, to more complex strings of numbers and letters that often replicate already existing and easy to remember words. While those at the complex end of the password spectrum may be reading […]
Fallback Image
Dominic Powell
password

When crafting a new password, business owners and entrepreneurs likely put in varying levels of effort, ranging from the alarmingly common “password” or “12345678”, to more complex strings of numbers and letters that often replicate already existing and easy to remember words.

While those at the complex end of the password spectrum may be reading this smugly, confident in the security of passwords such as “Sup3rM4n!”, the security expert who first came up with this method of password creation has now admitted his initial advice — dating all the way back to 2003 — was totally wrong.

In an interview with the Wall Street Journal, former US National Institute of Standards and Technology manager Bill Burr revealed the methods many of us use to craft what we think are hard-to-crack passwords is wrong and may be leaving us even more exposed to cyber attacks.

These methods — outlined in a document written by Burr in 2003 — recommended users pick easy to remember words, and then pepper them with irregular capitalisation and replacement numbers and letters, such as “3leVat0R!” or “hoRs3R4dIsh”.

While it encouraged seemingly complex and secure passwords, this advice became so widely used that it made it easy for hackers to predict and crack, as users eventually adopted similar replacements and substitutions.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the Wall Street Journal.

For business owners now distressed over their password choice and eager to change it to something highly uncrackable, the best choice might not be the sort of password you’d expect.

In a 2011 comic from popular webcomic XKCD, author Randall Munroe outlined the issues with Burr’s original password propositions and proposed an alternative.

Source: xkcd.com/936/

Randall’s advice has been endorsed by cybersecurity experts, with a random four-word phrase being harder to crack by many orders of magnitude, taking up to 550 years.

This means changing your password to “anybodyblindnationthemselves” (you can’t have spaces in passwords) or “Ilovesmallbusiness” could work wonders for your account’s security measures.

And for the more mnemonically inclined, a line from a favourite song or book can also work as a strong password, as discussed when Mark Zuckerberg’s Twitter account was hacked last year.

Using the example of Oasis’ classic song ‘Wonderwall’, a strong password derived from the hit could look like “MyGbTotSm68”, with a memorable number thrown at the end for good measure.

Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on TwitterFacebookLinkedIn and Instagram.