The Strongest Password Combinations Aren’t What You Think

August 10, 2017


We’ve all fumbled through creating passwords on websites that seem to have an unusual amount of rules: At least two capital letters. One special character. Special characters cannot include backslashes or quotation marks. The minimum number of characters is ten.


Once you finally construct an acceptable password, you have to remember it (unlikely) or write it down in a safe place. At least your account is secure after all of this hassle, right? Wrong.


Password requirements plaguing everything from online banking to job application accounts are outdated. Further, they were under-researched at the time of widespread acceptance. Bill Bur, former manager at National Institute of Standards and Technology, wrote the manual for password creation security in 2003. However, Burr recently admitted to the Wall Street Journal that most of his knowledge on passwords was derived from a white paper written before the world wide web was even invented.


“In the end, [the list of requirements] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” says Burr.


This is what he means: math demonstrates that a combination of four simple words is harder for a computer to crack than a word or phrase interspersed with special characters, different cases and numerals. This doesn’t make sense to most of us, because we were taught that more variables equate to more obstacles for potential hackers to decode. However, the key to understanding this ambiguity is that computers are attempting to crack passwords--not humans.


Gizmodo reports that a password with four common words strung together, like “correcthorsebatterystaple” would take a computer around 550 years to randomly guess. Comparatively, a password following current guidelines, like “Tr0ub4dor&3” can take a computer as little as three days to decipher.


Let’s hope this news makes its way to internet security professionals, so that someday your laundry list of passwords can be scrapped. Until then, Bill Burr apologizes.


Make Your Password Harder to Crack

Hackers are utilizing computers to guess your password--they’re not doing this painstaking work themselves! If a site doesn’t require Burr era password requirements, opt for a chain of a few regular words instead.


Have You Noticed Any Unauthorized Login Attempts Lately?

Decoding your password is the first step to breaking into sensitive online accounts that contain personal and credit card information. Oftentimes, websites hosting accounts will email you if there have been log in attempts with an incorrect password. If you receive an alert like this and know it wasn’t you, notify the site immediately. You should then change your password again, as well as take additional precautions like freezing account activity or credit cards.


Report It to BBB

Lastly, report unauthorized login attempts to the BBB Scam Tracker so that we can monitor and investigate patterns across the web.