Drake Software blog for tax pros, covering tax, IRS news, and more

Study: Don’t Overthink Computer Passwords

Study: Don’t Overthink Computer Passwords

It’s an ordeal most of us go through regularly: Our password on our email or a website has expired and we have to come up with a new one. Our proposed password, the website tells us, has to be at least eight characters, use upper and lower case letters, numbers, and “special characters” – you know, the ones you get when you press Shift and a number.

And, oh, yes – your new password cannot be a real word in the dictionary.

So how are we supposed to remember these things?

Well, a new study from Carnegie Mellon University suggests there’s a better and easier way to secure our accounts. It’s called a passphrase. Whereas a password might be something like “B1i7sfy%k,” a passphrase could be: “drakeisthebesttaxsoftwareoutthere.” And the phrase, the study found, can be just as secure as the most random of characters. The more nonsensical the phrase, the better. Song lyrics or poetry, however, should be avoided along with any common phrase.

The reason is that a lengthy passphrase can stymie hacking software as well as a purely random set of characters. A run-on string of words can be just about as hard to hack, and they’re a lot easier to remember.

Another tool to keep your data secure is changing your password regularly. Some sites already force us into that good habit, but the National Institute for Standards and Technology has issued a recommendation for longer passwords with a shorter lifespan – 60 or 90 days, tops.

Technology experts say all this is a drive to make security tighter while also making it more user-friendly. That means passphrases are more likely to be remembered and changed, rather than random passwords that keep getting reused because they’re so hard to remember.

We can expect passphrases to come into wider use in the very near future. But as with technology in general, there’s already another alternative on the horizon. The next wave could be two-factor verification, with a code number being sent to the email or cell phone of the user. This method is already being used and could eclipse passphrases as a new security standard.

Bob Williams

Forget genes; I’ve got words in my DNA. Communication has been part of who I am nearly all my life. From a long career in radio news to another one in newspapers – and a University of Georgia journalism degree sandwiched between the two – language has been my life. I’ve also been fortunate to have learned the tax business from the ground up here at Drake, starting with 1040.com online forms some years ago before moving on to work on the Web. In all things tax-ish, we aim to give you tools you can use.