When setting up passwords for online accounts, how many times have you been asked to reenter your password because it was either not long enough, or that it did not contain a combination of lower- and upper-case letters, numbers, or special characters? This can be frustrating because every website has different password requirements, making it impossible to remember all these different passwords. Many people choose to write them down on a piece of paper or record them on a document somewhere in their computer, but these methods aren’t safe as your record could get lost or stolen easily.
Why does every website have different rules for password-setting? How are these rules determined in the first place? Do these complex combinations really keep our accounts safe? We are going to answer all these questions for you today.
Where did these rules come from?
- “A minimum of eight characters”
- “A combination of lower- and upper-case letters, numbers, and special characters”
- “Password reset every 90 days”
We have all seen these rules hundreds of times. In fact, they were originally revealed in 2007 by the Digital Identity Guidelines published by the United States’ National Institute of Standards and Technology (NIST). Companies in the United States, soon followed by other countries, slowly adopted this guideline and set their password requirements according to its recommendations.
The question is: are these guidelines up to date?
In fact, more than a decade has passed since the guidelines were first created. Through follow-up analyses, the original creators have found many flaws in the guidelines which could make your accounts even more vulnerable and created an updated edition in 2017. The updated edition made some significant changes to the original rules.
Some of the main changes include:
- Removing the recommendations for including special characters
- Removing the recommendations for changing passwords periodically
Wait, so the rules that had bothered us the most turned out to be useless?
Not quite. They just failed to serve their purposes. Special characters were recommended because experts expected us to create passwords like “G%b$W@*h1”, but what we actually did was setting passwords like “Apple123!”, “Melon111?”, etc. Such numbers and special characters are so common that they could have adverse impacts on account safety.
What about the rules for changing passwords periodically? Well, we simply replaced one or two characters, such as from “Apple123!” to “Apple123?”, which did not make our accounts any safer.
What should we watch out for?
Based on suggestions from NIST, we have summarized three main points to watch out for when creating passwords.
- Refrain from using your personal information (i.e. user ID, birthday, phone number) in your password. These passwords are extremely vulnerable to those who possess your information.
- Do not use any common nouns, phrases, or patterns in your password. According to the National Cyber Security Centre in the UK, the most vulnerable passwords include nouns like “password”, “liverpool”, “superman”, “michael”, “eminem”, or patterns like “qwerty” and “123456”. No matter how long they are, these common words and patterns are the most vulnerable to hackers.
- Use a different password for each website.
But this led us to where we started. How can we create robust and complicated passwords that are different for each website, yet still easy to remember?
Here is the smart way
Based on the guidelines from South Korea’s Internet and Security Agency (KISA), we at Penta Security have some great password-setting tips for you.
You can simply create a password for each site by utilizing the domain name. Then create your own rules to “encrypt” the domain name into a password.
Take a look at the diagram below for some examples. Let’s say the domain name is “pentasecurity”. Rule #1 converts the first four characters of the domain name, followed by the number of characters in the domain name, followed by the number of characters plus one. Rule #2 converts the odd-numbered characters in the domain name, followed by a series of odd numbers. The last rule uses the consonants in the domain name, followed by a series of two-digit numbers.
The secret here is to create your own rules to “encrypt” the domain name into your own code. Use your imagination and be as creative and sophisticated as possible. With this method, you can create different passwords for different websites and yet still easily remember them as long as you remember your “encryption” rules.
The final tip: be creative!