“Secure password” rules may not be the best option

You should already know that passwords like “123456” or “teste123” should never be used, as they are not secure passwords.

However, to avoid the use of insecure passwords, websites are increasingly stricter in the rules for defining passwords, sometimes requiring at least 10 or 12 characters, with combinations of upper and lower case letters, numbers and symbols. Which forces the user to create complex passwords, which are difficult to remember.

These recommendations for secure passwords were created in 2003 by Bill Burr, director of the National Institute of Standards and Technology (NIST) . Such guidelines are still followed today in password validation systems and materials with guidelines for defining secure passwords.

However, in a recent NIST review of its password security guidelines, many of the recommendations were changed. In an interview with the Wall Street Journal , Bill Burr himself considered himself regretful of most of his recommendations, “Now I regret a lot of what I did”. He also admitted that the guidelines created in 2003 were based on a document written in the 1980s, when the internet was still in its infancy and computers did not have the processing capacity they have today to crack passwords.

It turns out that just replacing letters with numbers or symbols does not guarantee good password security. For example, even changing “pedrinho” to “P3dr1Nh0” or “lurdinha” to “Lurd1nh@”, passwords can be easily discovered in brute force attacks. Mathematical calculations show that it is much more difficult to crack a long password with easy-to-remember words than a shorter password with combinations of letters, numbers and symbols.

In the image below from the xkcd website , we have an example that shows that the password “Tr0ub4dor&3” can be cracked in 3 days, while the password “correct horse battery staple”, with four words without a logical sequence, would only be discovered in 550 years.

example-secure-passwords

Therefore, strictly following the guidelines of websites and password validators does not guarantee good security for your passwords. Using passwords like “G84mv@8k”, in addition to being difficult to remember, are less secure than a password like “nuvemcachorroespelhoestrada”.

Considering that weak passwords are the main gateway to security attacks, ransomware and other types of viruses in companies. It is always prudent to follow good practices when it comes to setting passwords . In this downloadable guide, we list and describe a set of practices that can be followed to ensure the security of your user accounts and passwords, both for personal and corporate accounts.

Lumiun DNS integration with pfsense software
Lumiun DNS Free Trial
Related Posts