Ah vindication, or at least satisfaction. For some time, I have been using and recommending the use of nonsense sentences as passwords.
Today I read in the Washington Post an article by Robert McMillan where he reviews the recent statements by Bill Burr who in 2003 wrote “the definitive go-to guide for federal agencies, universities and large companies looking for a set of password setting rules to follow.” He now says,“much of what I did I now regret.”
The gist of this article was;
1.Strong passwords need not be impossible to remember combinations of upper and lower case letters combined with numbers and symbols such as, )>0Let#A@!7
It has been calculated it would take hackers 550 years to crack, “correct horse battery staple” written as one word, as compared to 3 days to crack, “TrOub4dor&3.”
2.The second finding was that the advice to change your passwords every 90 days was erroneous. Unless you feel your security has been breached there is no need to change your passwords at all.
The other issue examined in this article is the persistent use of what we thought were smart random passwords based on Burr’s guidelines, resulting in a generation of widely used passwords such as; P*****wOrd or Monkey1. Or instances where demanding users change their password on a 90 day cycle resulted in changing Pa55word1 to Pa55word2. A practice Burr states, “does not keep hackers at bay.”
A recent study by Carnegie Mellon University’s researcher Lorrie Faith Cranor resulted in 500 of the world’s most commonly used passwords like, princess, monkey and iloveyou plus many unprintable examples. She had them printed onto a blue and purple shift dress which she wore to a 2015 White House cyber-security summit at Stanford University prompting much careful study and some embarrassment.
So, yes, use a password manager or a list of randomly generated passwords kept in your wall safe (or encrypted folder) but for day to day, often used passwords try nonsense sentences. They are easy to remember such as one I recently used for my computer Admin password, “My cats like two fish,” written as mycatslike2fish or, “rabbits4hatsthereare.” That’s 20 characters and with current technology would take longer than I am likely to live to crack.