Cyber security: 'Use passphrase not password'

Guru advises people to use long but easy-to-remember phrases

10 August 2017 - 06:34 By JAMES TITCOMB
Image: Thinkstock

The complicated and easily forgotten password filled with random numbers and symbols is the bane of many office workers' lives.

And now the technology guru who came up with the rules on safeguarding personal information 14 years ago has admitted that his guidance was wrong. Bill Burr wrote what has become the "bible" on password security in 2003 while working for the US government.

It advised using capital letters, numbers and non-alphabetic symbols in passwords, in the belief they would be difficult to uncover.

His advice has been widely adopted by internet security companies and IT departments. It is responsible for tortuous phrases such as "P@55w0rd" or "Football123" to satisfy password forms, as well as workers having to create a new phrase every 90 days.

But computer experts say instead of improving security, the combinations make systems less secure. Complex passwords are difficult to remember and users end up using the same one repeatedly on different websites, or writing them down on Post-it notes.

The introduction of numbers and symbols also fails to make passwords any less vulnerable to hackers. So-called "brute force" cyber attacks, in which a computer program cycles through every possible combination of characters to guess a password, are not slowed down by numbers or capital letters, but depend on how long a phrase is.

"Much of what I did I now regret," Burr, who is now retired, told the Wall Street Journal. "In the end, it was probably too complicated for a lot of folks to understand well and, the truth is, it was barking up the wrong tree."

He said the advice to regularly change passwords was mistaken. Requiring somebody to add a number and a capital letter to their password does not stop people using bad passwords such as a pet's name, but would simply mean that "fido" would become "Fido1''.

Burr's guidelines have recently been updated. They now advise that people use long but easy-to-remember "passphrases". Using "horsecarrotsaddlestable" would take one trillion years for a "botnet" cyber attack to crack, in contrast to a minute for "P@55w0rd".

- The Daily Telegraph