To help our online security almost everything web based we have rightly has the obligatory user name and password. The user name is always the easy bit, typically this is just your name or email address but those passwords…. The typical requirements you need include having upper and lower case characters, a number and a special character. That in itself is always difficult enough but add into that the fact that you are supposed to change it every 30 days to something different makes it quite infuriating.
These password requirements you hate may be changing soon. Bill Burr, a manager at the US government’s National Institute of Standards and Technology (NIST) wrote a manual in 2003 that advised using a combination of alphanumeric, upper and lower case and special characters in our passwords and they should all be changed every 30 days. However he recently said in an interview that he now regrets several of the caveats he advised and said he was “barking up the wrong tree” adding “Much of what I did I now regret.”
NIST is now overhauling these guidelines and is now no longer suggesting that passwords should be changed frequently just for the sake of it, essentially because people will tend to just change one character, for example going from “Passw0rd” to “Passw0rd1” which would probably be the first thing a hacker would try, as a result this makes the majority of passwords really ineffective, this is multiplied by the fact that we repeat this practice across multiple platforms and we are all guilty of having the same or a similar password for different logons, instead they are recommending that IT departments should only enforce password changes after there has been a security breach instead of the standard 30-90 days.
In addition to this NIST has proven that it’s easier for a computer to crack words that substitute numbers or characters for letters to satisfy the current requirements (for example “secur1ty”) than a random mixture of words like”tool_seat_calendar”
Whilst it’s not a requirement for anyone to adopt these new guidelines NIST is very influential and any advice posted by them is taken with reverence by IT departments across the globe so their recommendations are usually implemented as best practice in terms of IT security.