Password Advice has changed.

Back in 2003 Bill Burr, a mid-level manager at the National Institute of Standards wrote an 8 page publication providing guidance on computer passwords.  The document suggested using obscure characters, a mix of upper and lower case, and recommended changing the password regularly.  The document became the guideline that many government and corporate entities adopted and his advice was widely disseminated.  Today Bill is retired and admits much of his advice was incorrect.  Change your password every 90 days? That recommendation should be called “how to increase my support costs by creating calls to the help desk”.  The problem is that people make minor changes such as changing a digit at the end of their existing password.  That type of change is easily guessed so it doesn’t keep hackers at bay.  The advice about using special characters ended up being a finger-twisting requirement that irritated users.  It gave birth to goofy looking passwords like Pa$$w0rd that is so commonly used they can easily be hacked.  In June the NIST document (800-63-3) went through a re-write.  The new guidelines drop the password expiration advice, as well as the suggestion to use special characters that did little for security and negatively impacted usability.

The new guidance suggests long, easy to remember phrases over crazy characters and suggests you should change your password only if there is a sign it may have been stolen.  Experts say using a series of four words can be harder to crack than a shorter hodgepodge of strange characters.  Cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple” (all run together as one word) versus a password like “Tr0ub4dor&3” which can be cracked in 3 days.

Humans collectively spend the equivalent of 1300 years each day typing passwords so making them safe yet easy to remember is important.  The new NIST guidelines suggest at least an 8 character password, but everyone should allow up to 64 (No more “sorry your password can’t be longer than 16 characters”).  They suggest the password field should accept all Unicode characters, including Emoji.  They recommend checking passwords against a database of bad choices so that passwords like “changeme” and “Yankees” are eliminated.  NIST doesn’t want people to use “password hints” since many users make hints too obvious to hackers.  The good news as mentioned above is that they suggest eliminating “composition rules” that are unduly restrictive, along with requirements for complexity such as upper and lower case, odd characters.   NIST also says you don’t have to expire passwords unless there is a reason.

Recommendations for Knowledge-based authentication (KBA) are now out. KBA is when a site says, “Pick from a list of questions – Where did you attend high school?  Apparently this doesn’t provide the level of security that everyone thinks it does.  Oddly, they also suggest eliminating txt messages as a form of 2 factor authentication.  Two factor is where you type a password AND must supply a special code, often delivered to your phone.  That advice is based on the possibility of bad guys getting access to the text, but frankly here NIST’s advice may be missing the mark again.   SMS txt seems to work well for most users.  NIST sometimes forgets that usability is a big thing and as Voltaire said “perfect is the enemy of “good.  Which brings up another potential problem with the new password guidelines?  That is users who insist on using easily remembered sayings or quotes.  These will be easy to hack using a dictionary attack.  For example “perfectistheenemyofgood” will get added to hacker’s databases along with “password” and other common phrases.  It’s better to choose random words for your password.