放棄你以往所認知建立最強密碼的方法,並使用這個新的方法
Scrap everything you know about creating strong passwords and do this instead
Jane Burnett LADDERS
2019-05-30 11:00:00
https://www.theladders.com/career-advice/scrap-everything-you-know-about-creating-strong-passwords-and-do-this-instead
Scrap everything you know about creating strong passwords and do this instead
The man behind how we commonly think of devising passwords says he “regrets” his advice.
You know the drill: make a password with a hodgepodge of special characters, numbers, and letters, then change it periodically – or just ignore change alerts until a hacking scandal suddenly arises.
You may want to rethink your strategy.
Bill Burr, the man behind how we commonly think of devising passwords, recently told The Wall Street Journal, “much of what I did I now regret.”
The password creation shakeup
The retired 72-year old was reportedly a manager at The National Institute of Standards and Technology (NIST) back in 2003 when he wrote “NIST Special Publication 800-63. Appendix A,” featuring the password guides we’ve held true for years now.
According to The Wall Street Journal, this included, namely, the rule that passwords should be a combination of numbers, special characters, and uppercase letters, which you change every 90 days.
Why is Burr changing his tune years later?
He reportedly had to produce the rules quickly and wanted them to be based on research, but he had no “empirical data on computer-password security.” So he turned to a white paper from the 1980s.
Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too difficult to crack.
In June, the NIST released new guidelines, which don’t call for “special characters” or changing passwords frequently anymore. Instead, the NIST says the rules now preach “long, easy-to-remember phrases” and just coming up with new ones “if there is a sign they may have been stolen.”
A xkcd comic by Randall Munroe from August 2011 shows that figuring out the password “Tr0ub4dor&3” would take three days to solve, according to the cartoonist’s calculations, compared to the words “correct horse battery staple” typed as a single word, which would take a staggering 550 years to solve. Computer-security specialists found this to be true.
Be careful changing passwords
You may also want to rethink how often you update your password. This practice can place us at risk if we take the wrong approach.
When we repeatedly change passwords, we don’t always change them properly.
Professor Alan Woodward of the University of Surrey told BBC News that NIST publications have a far reach, giving the rules “a long lasting impact.” But he also mentioned “a rather unfortunate effect”:
For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. . . . And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.
Steer clear of these password options
So if you’re looking to change your password soon, don’t pick these.
SplashData, which supplies password management applications, released the 2015 version of its “Worst Passwords List.” Here are the top 10 worst ones featured:
1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball
Morgan Slain, CEO of SplashData commented on the findings in a statement.
Embracing the new way of thinking when it comes to passwords just might keep your online accounts out of harm’s way.