In 2003, Bill Burr wrote the rules for password security for the U.S. National Institute of Standards and Technology, urging computer users to change passwords every 90 days and create such intricate passwords that even the world’s fastest supercomputer would overheat trying to decipher them.
Burr, however, recently confessed to the Wall Street Journal that this digital keyboard dance has caused endless frustration among us, the computer-using masses, in the name of online security.
He is among a chorus of security experts who now say that a simple natural language sentence, for example, “It is a lovely day in Spain,” is a better password than the tortured, numbers-letters-and-wingdings combinations we are all burdened with remembering. “The truth is, it was barking up the wrong tree,” he says.
Well, what do you know?
Unfortunately, his mea culpa comes a bit too late for us.
We’ve wasted years of our lives changing passwords, not because we’re security freaks, but mostly because we can’t remember those impossible combinations of numbers, upper- and lowercase letters, special characters and symbols. Humanity, says computer expert Cormac Herley, a researcher at Microsoft, spends the equivalent of 1,300 years each day typing in passwords. Holy cow! And we thought YouTube surfing for cat videos was a time suck.
Password security is important, given the many high-profile corporate and social media hacks of supposedly secure computer networks, and complex combinations can be effective deterrents. But the trade-off is between passwords that are easy for others to guess and passwords that are impossible for us to remember.
And when we can’t remember, we tend to do stupid things, like writing complex passwords on sticky notes on our computer monitors or on paper tucked beneath our mouse pads.
And as ingenious as we think we are, switching numbers for words (“Good4you”) or adding another number (“Good4you2), isn’t always a security improvement, either.
If it seems as if we are always fighting the last war, we are. A password that would have taken more than three years to crack in 2000 might have taken about a year to crack in 2004. Five years later, the same password could be broken in just four months, and now it could be decoded in a matter of weeks. But how could Burr have known that he would be responsible for so much global cussing and frustration for so little security in return? Back then, scant research existed on passwords; mind-numbing sequences seemed like the best solution.
Experts predict that passwords as we know them eventually will give way to biometrics like fingerprint sensors and face recognition technologies found on some smartphones and consumer products. And who knows what after that?
We can’t wait to see it happen. And soon.
FROM AN EDITORIAL IN THE DALLAS MORNING NEWS