You get to your office or even at home and log into your PC or email account, just to receive a notification that it is time to change your password. You just roll your eye and say okay, there is no problem and changed your password from ‘yourname4real84’ to ‘yourname4real85’, rewarded with the green stick and go about your work.
You know deep inside you that it is not a good practice, but you have no choice because many online services make it the only means to create passwords you will actually remember.
Most of the regulations are derived from recommendations published by the NIST (US National Institute of Standard and Technology) in 2003. Their intention was to make your passwords difficult to guess but did so at the expense of your friendliness.
Former NITS technology manager Bill Burr in an interview with Wall Street Journal admitted he now regret some of the advice the NITS gave on creating strong logins.
During that time, he recommended using combinations of characters that were quite close to random and changing them regularly to make the passwords harder to guess. That was not completely beyond possibility 14 years ago, but now that everybody relies on password-protected online services, it is impossible to remember unique random logins.
Burr said, “it frustrates everybody, including me”.
We are only human
Just last month, NITS updated its guidelines to make password authentication systems more user-friendly. NITS new recommendation includes passwords that do not expire arbitrarily, can be as long as 64 characters and can include any printable characters, which includes spaces.
The more, the better
For a better security, the latest NIST guidelines recommend the use of multi-factor authentication for sensitive accounts. It means providing a different form of verification, such as a code from a smartphone app, in addition to the normal password.
Schultz said, “With the proliferation of cloud services and devices since the original guidelines were written, password security will only take you so far. Two-factor authentication will stop security breaches in their tracks.”