Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

C2 provides technology services and consultation to businesses and individuals.

T (818) 584 6021
Email: [email protected]

C2 Technology Partners, Inc.
26500 Agoura Rd, Ste 102-576, Calabasas, CA 91302

Open in Google Maps
QUESTIONS? CALL: 818-584-6021
  • HOME
  • BLOG
  • SERVICES
    • Encryption
    • Backups
  • ABOUT
    • SMS Opt-In Form
    • Terms and Conditions
    • Privacy Policy
FREECONSULT
Tuesday, 08 August 2017 / Published in Woo on Tech

Forget what you’ve been taught about secure passwords

In 2003, a man named Bill Burr wrote the password guidelines for the National Institute for Science and Technology (NIST) that went on to shape the password standards that have permeated the world of technology in the intervening 14 years, much to everyone’s continued annoyance. At the time, his heart and mind were in the right place: forcing us to use complex passwords and frequently change them was actually effective at the time they were initially drafted, but as humans often do, we shaped our practices and habits to adhere to the letter of the guidelines while taking the path of least resistance to reduce the hassle. This has led to passwords that appear complex and secure but are in actuality predictable because humans are nothing if not predictable. This makes them trivial to crack, especially in light of the massive data breaches and cheap, powerful computers. Thankfully, the industry seems to be slowly coming to its senses on traditional password guidelines and the NIST has just recently introduced a new set of guidelines that will hopefully make passwords less painful.

What this means for you

I know some of you might be feeling like this was all a cruel prank perpetrated by IT to torture you while we cackled like evil scientists. In reality, because of these mis-guided guidelines, “password reset” requests have been and continue to be the #1 help desk ticket by a landslide, so perhaps you’ll believe me when I say that your local IT professional definitely does NOT like the current state of passwords any more than you do. Our initial sense of relief and confidence when these guidelines were adopted evolved into a few years of complacency, and then slowly slid into an increasing sense of horror and helplessness as hardware grew powerful enough to completely dismantle passwords created and enforced by established guidelines we finally got everyone to adopt.

The new guidelines reverse rules that will hopefully make passwords easier for everyone (except the hackers, hopefully), but don’t pop the cork on that champagne just yet. It’s going to take the industry some time to shed the old ways. Yes, even the technology industry can be slow to change too! That said, here’s what you can look forward to based upon the new NIST password guidelines:

  • No more frequent password changes. Research has shown that forcing people to change complex passwords wasn’t improving security. If anything the password was only incrementally changed, and that change was too predictable to result in any significant security gain. The new rules suggest only requiring a change if a security incident has occurred.
  • The burden of password security should be on the service requiring a password. Instead of relying on the user to make sure their password is complex via seemingly arbitrary and complex rules, let them create longer, less-complex passwords and check their creations against a database of known or poor choices.
  • Require longer but not necessarily more complex passwords. Simple phrases (checked against a central database of known or too easy to guess passwords) of sufficient length aren’t harder to memorize but become exponentially harder to crack as compared to shorter but more complex passwords. See xkcd’s (internet) famous explanation of this concept.
  • No more password hints and secret questions. These practices were only crutches that propped up the complex password practice. Hints invariably were either too vague or too much information, and Google, for better or worse, has made knowledge-based authentication like “Mother’s maiden name” useless.
  • Organizations and services will store passwords with stronger, more complex methods. The massive password breaches of previous years were only useful to hackers because they were stored in weakly protected databases. The NIST guidelines spell out methods and standards that will make stolen passwords much, much harder to decrypt.

Until your services shed their old password rules, you may still be forced through some seemingly passé password hoops. Keep in mind that even “old-school” passwords are better than none, and complex passwords are better than short, commonly-used ones. Until your providers get on board, start making a secret list of nonsense phrases to prepare for the password revolution.

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

  • Tweet

What you can read next

Girl being cyberbullied
Hate increases on Twitter under Musk’s management
Flash Zero-day warning
Flash Zero-day in the wild
working from home
Pandemic Week 2: Tele-pocalypse

2 Comments to “ Forget what you’ve been taught about secure passwords”

  1. What are the bad guys doing with your stolen passwords? – Get Tech Support Now – C2 Technology Partners says :Reply
    September 5, 2017 at 9:36 pm

    […] password entered has already been compromised and warn against or prevent the user from using it, a new best practice I wrote about a few weeks back. It will be some time before this new practice comes into widespread […]

  2. Tech Resolutions for 2018 – Get Tech Support Now – (818) 584-6021 – C2 Technology Partners, Inc. says :Reply
    January 9, 2018 at 11:16 pm

    […] strong, unique passwords. The standards have changed, but the concept remains the same. Don’t use weak passwords, and certainly don’t use […]

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • Security is about to get even more complicated

    We’ve discussed in previous blogs how tec...
  • RIP Skype

    Two years ago, in 2023, Microsoft announced tha...
  • Make a list, check it twice!

    Get ready to show your work

    I’m sure it’s still a thing for stu...
  • Windows 10 Countdown

    As of now, Microsoft seems to be holding fast t...
  • two ceramic smiling poop emojis on a white background

    It’s not just you

    I first encountered Cory Doctorow through his n...

Archives

  • GET SOCIAL
Get Tech Support Now - (818) 584-6021 - C2 Technology Partners, Inc.

© 2016 All rights reserved.

TOP