Guidelines about passwords make them needlessly hard to remember. Because people can’t remember them, they get locked out of their accounts and the computers they use for work. These foolish guidelines were promoted by the government based on incorrect advice about what passwords are most secure.
They then spread as “best practices” throughout the private sector, resulting in countless employees being locked out of their accounts. Auditors claimed these password rules were required by the Sarbanes-Oxley Act. That law requires auditors for big companies to assess their “internal controls.” Due to these password rules, companies require people to change their passwords frequently to things that are hard to remember.
Gizmodo describes how these rules came about in the article “The guy who invented those annoying password rules now regrets wasting your time.” The password rules were devised by a former manager at the National Institute of Standards and Technology (NIST). His recommendations “dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers — those are all because” of his 2003 recommendations. But he “now admits that they’re basically useless.”
His recommendations forbid “a long string” of words that you find easy to remember, in favor of a “shorter password with wacky characters” that you probably won’t be able to remember. But the longer password made up of multiple words is actually harder for a hacker’s computer to crack than a shorter password made up of random or wacky characters.
Journalist Robby Soave recounts what happened to him as a result of these recommendations:
I am now trapped in password hell, because any new password I create will be impossible for me to remember, thus triggering the create new password necessity every single time.
Whoever decided that passwords must have both weird characters and numbers, and not be the same as the last five passwords, should be publicly executed.
When I worked for the Education Department as a lawyer, I spent hours and hours getting my password reset by the employee help desk when I forgot it. I couldn’t remember my password because the government required my password not to include any full word, and required me to frequently change my password to something new.
If I wanted to include a word in my password, the government’s password restrictions required me to break up the word by putting a number or symbol in the middle of it. I could seldom remember where I put that number or symbol. I also had to include additional numbers and symbols in my password. But I could never remember what all those numbers and symbols were.
Finally, the National Institute of Standards and Technology has figured out the error of its ways. The “latest set of NIST guidelines recommends that people create long passphrases rather than gobbledygook words like the ones” it previously thought were secure back in 2003. But as Soave’s experience shows, this new advice has yet to trickle down to society as a whole, which continues to follow the government’s bad 2003 advice.