Over the last few days, my newsfeed has been filled with people gloating over the fact that the fellow who came up with that original guidance — make complex passwords and change them often — admitted he was wrong. But, if course, as with most people, they are misinterpreting things. Here are some key takeaways:
- Complex passwords are still critical, but the answer is not an unpronouncable mix of letters and characters — because you can’t remember that. You can get equal or stronger passwords by choosing random words from the dictionary (passphrases) because although the “string” is shorter, the alphabet is larger. Math is math.
- Frequent changing of passwords defeats the strength not because frequent changing is bad, but because human nature is. If you change things frequently, you’ll go to patterns that make things easier to remember — and to break.
In reality, the best solution is still a high-quality Password Manager, with a strong master password. In the password manager, you can create strong passwords for all your sites — unique for each site — and not have to remember them. This is something recommend (and not using my Facebook authentication for everything, which is not only weak but gives FB far too much information). I’ve recommended Lastpass for a long time for this purpose. It can keep track not only of passwords, but all that information you fill into forms — such as credit card info — so that you are storing it in your encrypted password vault, not on another machine where you depend on their encryption.
Recently, Lastpass changed their charging model: they upped the price (without notice) of Lastpass Premium from $12 to $24 a year. Everyone was up in arms! Heaven forfend! Doubling the price! (Never mind the fact that we’re talking $1 a month, which is noise, but hey, it’s the percentage!). It’s a concern for me: we have three Lastpass Premium accounts. However, I plan to move to the Family pricing model (which is worth it for 2 or more family members); hopefully, Lastpass will provide a way to consolidate existing Premium accounts into a single Family account with prorata balances applying towards the fee.
In the larger world, NIST is simplifying their password recommendations. The folks at Lastpass believe that will make things easier, but I believe that the fundamentals still remain: pick a unique password for each site, make it suitably complex, ideally gaining complexity through words vs. characters. How to do that? Use the password generator in your password manager, use the nonsense word generator, or use the XKCD Password Generator, XKPasswd.