Fourteen years ago, a man named Bill Burr wrote a book on password security on behalf of the U.S. government. In the book, Burr suggested that to keep them from being guessable, passwords should include capital letters, numbers and non-alphabetic symbols like question-marks. He also advised that computer users change their passwords often.
Since then, corporate security watchdogs have insisted Burr's suggestions was the best way to protect access to computer networks and files. But this year, Burr admitted that he made a mistake. Instead of protecting access to systems, long passwords using hard to remember characters actually made them less secure.
In reality, when people are forced to use long, complex passwords, they tend to write them down and post them in places others can find. Meanwhile, these numbers and symbols weren’t helpful in preventing other computers from guessing these combinations. Also, asking users to change the password often backfired, as people generally change the original password by one character, which doesn’t discourage hackers.
Today, corporate security advisers recommend that people use long but easy-to-remember passphrases, ideally one that captures a memorable visual (such as “rabbiteatingcarrot”). Such combinations might take up to 1 trillion years for an automated cyber attacker to crack, compared with one minute for “P@55w0rd”.
Unfortunately, trends in technical security evolve, and standards that were considered gospel at one point may fall out of favor over time. Not only that, as new technologies emerge, they’ll call for security approaches. Even those who work full-time in industrial/process control IT security field can barely keep up.
That being said, if your company keeps up with the most basic of security practices – those that stood the test of time – you may already be better off than your peers. Good security hygiene can go a long way towards protecting your data and devices.
For example, teach your staff and sales people that when in doubt, they shouldn't click on attachments to email messages sent by people they don’t know. Ban the use of outside flash drives on all office computers, as they can contain viruses or other malware. Instruct them never to write down their password, much less share them with others (a task that could be made much easier by using the memorable password styles described above).