If you didn't change your password on "Change Your Password Day" yesterday, I forgive you. If you stuck with a perfectly good password in spite of a contrived event telling you otherwise, I applaud you.
The tech-news blog Gizmodo's decision to christen Feb. 1 as "CYPD" isn't a bad idea overall; as writer Matt Buchanan explained in a post, too many people recycle the same password across multiple sites. I'm part of that problem: When sites have asked me to sign in to do something basic like read a story or download a file, I've reused passwords from other low-value logins.
But much received wisdom about passwords goes beyond that sensible counsel to stumble into outright superstition. Three security myths especially bug me.
* You need to change your passwords on a set schedule. You should only change a password if you worry somebody else might have obtained it. Doing so more often at best wastes time, at worst raises the odds that you'll forget the new password and have to reset it. Sites that force users to change their passwords every 60 or 90 days — often with inane "minimum complexity" rules for new ones — only raise the odds that fed-up users (PDF) will resort to writing down passwords or choosing the simplest ones possible.
* Writing your password down is a mistake. That depends on where you keep that piece of paper. Scribbling it on a Post-It note on your monitor is dumb. But if you tuck that slip of paper in your wallet — something you take with you everywhere and know to keep safe — you'd be following the longstanding and astute advice of cryptography and security expert Bruce Schneier.
* Substituting numbers and symbols for letters confuses attackers. The bad guys already know that trick. Password-cracking tools like L0phtCrack, which can pry passwords out of an encrypted file, automatically try "leetspeak" substitutions. Longer passwords, however, greatly increase the time required to crack them. In the bargain, a long passphrase made up of real words will be easier to remember than the eight characters of gibberish usually recommended. (I've followed that conventional advice all too well, so maybe it is CYPD for me.)
As xkcd author Randall Munroe recently griped in his popular Web comic: “we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.”
What should you do?
Some online services also support extra-security options like "two-factor authentication," in which you can enter a one-time numeric code in addition to a password. And we may yet see widespread adoption of text-free authentication — say, identifying yourself by clicking around a map. But for now, we're stuck with passwords… which I hope are more complex than "password" or "123456."
Credit: Rob Pegoraro/Discovery