Everything you thought you knew about passwords is wrong, according to newly revised NIST guidelines.
(For recommendations, skip to the "What should I do?" section at the end of this blog post!)
What's the news?
The National Institute of Standards and Technology (NIST) sets the U.S. standards for scientific industries and practices — including, notably, standards for setting up passwords.
NIST Special Publication 800-63 outlines guidelines for maintaining secure passwords, hilariously called "memorized secrets" throughout the document. Though the publication has been under review for the past two years, it's only recently been fully re-released featuring new rules that have us re-thinking the way we protect our accounts. (If you're reading along, skip to Appendix A. That's where the new guidelines are.) And a few months after the revised document's June release, its original author Bill Burr said in an interview with the Wall Street Journal that he regretted setting standards the way he did back in 2003. That's why we're hearing more about the revised guidelines now.
A lot has changed, and for the better. Most notably, the new guidelines are a lot more user-friendly. Here are the highlights:
Instead of forcing users to include special ch@r@cter$ or Capital Letters or numb3rs, the revised document favors length for creating strong passwords.
No more requiring a password change after a set amount of time.
Recommended minimum number of characters: up to 8 from (usually) 6. Recommended maximum: up to 64 from (usually)16.
Apps must now allow ASCII and UNICODE characters, which puts spaces and emojis in the frame.
System owners and users are recommended to check new passwords against well-known password dictionaries, such as RockYou (linked here along with several other password dictionaries for you to try out).
Password hints are now a no-go, as are knowledge-based security questions, or KBA (e.g., What was the name of the first street you lived on?).
This advice resonates with me deeply, as I've had an ongoing war with passwords for almost 20 years. I've realized recently why I'm so fascinated with passwords: They are the convergence of math and psychology, two of my favorite subjects.
First, the math — permutations, to be exact.
Brute-force password cracking is just applying the concept of permutations. During classes I teach for certain DOD units, I conduct an informal survey of the students to illustrate this point. I ask them to guess which password is more resistant to brute force attack: an 8-character password made up of capital and lower case letters, numbers, and special characters, or a 15-character password made up of lower case letters. Usually, at least half of these students pick the 8-character password, until I show them the following math:
long, simple password = 26 characters ^15th power = ~ 1.6 sextillion (21 0's) permutations
short, complex password = 96 characters ^8th power = ~ 7.2 quadrillion (14 0's) permutations
Granted, both numbers are large, but the long, simple password has more than 230 thousands times as many permutations.
Now, for the psychology — or, in this case, the science of human laziness.
The NIST document goes into much more detail, but it boils down to the universal truth that trying to remember complex passwords really sucks. Many people just refuse to exert that much effort. I used to work under some top-level executives who enlisted the security department to change their passwords for them every 30 days, then alert their secretaries to the new passwords. How many security policies do you think that broke? So, new password guidelines take that laziness into account when, say, getting rid of 30-day expirations for passwords.
What should I do?
Advise your users to utilize a password manager (something like KeePass). They can store passwords, thereby allowing them to choose longer, more difficult-to-remember ones without having to actually remember them. Plus, many passwords managers (including KeePass) will autogenerate long passwords for you.
Make each password as different as possible, so that if one gets compromised it won't lead to another.
Leverage other authentication options, such as 2-factor authentication, when available.
Seriously, test passwords against those hacker dictionaries. Those dictionaries are the fastest way for someone to crack your accounts.
Like what you read? Want to get notified when I post? Subscribe to the email list.