Earlier this week, Bill Burr, former head of the US National Institute of Standards and Technology, lamented advice he had given to government departments in 2003 about choosing the best password. It was Burr’s advice that led to the requests to add capital letters and punctuation marks to our own passwords but, as it turns out, this can make them easier to crack, so the advice now is to use less commonly used words, like “ecumenical,” or “obfuscatory,” or sets of words, like “trout mask replica,” or “floppy croissant hell.”
It appears the new advice discourages creating the systems that help us to remember the ever-growing passwords required to access everyday services, in favour of a more creative, less predictive measure, with no pattern to predict. It is the same principle behind reCAPTCHA’s “NoCAPTCHA” – you can make a robot repeat a word, or recognise a shape, but asking if they are a robot suddenly requires some reasoning.
Following the new advice, we may all now have a page or two of random words resembling either a Dadaist monologue, or a portal into what is really going on in your head. However, the other major advice we are given about passwords – that we must never write them down – has not kept pace with how the need for them has grown like bacteria. Is there really a completely safe, fool-proof way to keep your passwords secure, and would those measures be worth it?
Testing each possible method rigorously should involve the same creative means as the passwords themselves, i.e. thinking as facetiously as possible. Therefore, if you invest in a safe to store your valuables, consider how it could just be picked up and taken away, unless you find a safe big enough to store yourself as well. Failing that, it should be screwed into the most immovable floorboards in your house, the nearest concrete surface, or a hotel wardrobe.
Likewise, human error is an enormous, potentially worrisome factor. It may be one thing to save a document containing all your passwords, give it a misleading name, and its own password to access it, then squirrel it in a secret folder, but it is another to delete the file by accident, through the silent threat of “Fat Finger Syndrome.” This menace may also accidentally delete a password for one place when you are updating another, making the next visit to that place, or site, into a mountain of guesswork that could lock you out of there.
Meanwhile, the complex biometric information we expect our mobile phones to interpret and encrypt can be lost by, well, losing your phone, with subsequent calls to your contract provider to lock your device, resulting in lost time, and through resets and kill switches, lost data, unless you made a backup somewhere. User service agreements are often expediently clicked past, but the printed manuals of that bygone technology, the 1980s-90s electronic personal organiser, made clear the manufacturer was not responsible for the loss of personal data, even when changing the button battery that held the pre-flash memory in place and, furthermore, any important data should still be written down, and kept in a safe place.
This is before we even get to the two-way street of encryption, as the companies holding your data need to ensure they don’t lose, or mislay your data, be it in the post, in a coffee shop, or on a train. Our passwords are asked to be unpredictable, but information can be lost just as unpredictably. If you feel your information is secure and under control, ask that question to yourself again, then again, and again, just to make sure.