Everything you’ve been taught about passwords is wrong

If this describes you, don’t worry, you are not alone, and security experts are slowly coming to realize that most of the silly things we are all forced to do with our online passwords are counterproductive anyway.

Microsoft issued new password policy recommendations for offices that use its software this month, and almost every guideline runs counter to conventional wisdom.

Should administrators require users to change their passwords? No, says Microsoft, “because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other.” This makes it easy for hackers to guess the next password, and hackers usually use newly obtained passwords immediately, so the gain from switching passwords is negligible.

What about long passwords or passwords that require symbols and numbers? Both bad. Long passwords often result in people just repeating a shorter, more memorable password, and users generally employ symbols and numbers in a predictable pattern. Capital letters are usually used to begin a password, and symbols such as “!” or “$” often go at the end. These complexity requirements “prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.”

Microsoft does not endorse banning all password rules. Some lazy passwords such as “12345” or “abcde” shouldn’t be allowed. And users should be encouraged not to use the same password for multiple sites.

Multi-factor authentication (where, in addition to a password, another layer of verification is required, such as an email or phone number) has become the gold standard for cybersecurity. It may be slightly inconvenient to always have your cellphone handy whenever you want to log on to your company laptop, but at least it’s better than which of your third-grade classmates you chose to be your password this month.