In 2003, a man named Bill Burr wrote the password guidelines for the National Institute for Science and Technology (NIST) that went on to shape the password standards that have permeated the world of technology in the intervening 14 years, much to everyone’s continued annoyance. At the time, his heart and mind were in the right place: forcing us to use complex passwords and frequently change them was actually effective at the time they were initially drafted, but as humans often do, we shaped our practices and habits to adhere to the letter of the guidelines while taking the path of least resistance to reduce the hassle. This has led to passwords that appear complex and secure but are in actuality predictable because humans are nothing if not predictable. This makes them trivial to crack, especially in light of the massive data breaches and cheap, powerful computers. Thankfully, the industry seems to be slowly coming to its senses on traditional password guidelines and the NIST has just recently introduced a new set of guidelines that will hopefully make passwords less painful.
What this means for you
I know some of you might be feeling like this was all a cruel prank perpetrated by IT to torture you while we cackled like evil scientists. In reality, because of these mis-guided guidelines, “password reset” requests have been and continue to be the #1 help desk ticket by a landslide, so perhaps you’ll believe me when I say that your local IT professional definitely does NOT like the current state of passwords any more than you do. Our initial sense of relief and confidence when these guidelines were adopted evolved into a few years of complacency, and then slowly slid into an increasing sense of horror and helplessness as hardware grew powerful enough to completely dismantle passwords created and enforced by established guidelines we finally got everyone to adopt.
The new guidelines reverse rules that will hopefully make passwords easier for everyone (except the hackers, hopefully), but don’t pop the cork on that champagne just yet. It’s going to take the industry some time to shed the old ways. Yes, even the technology industry can be slow to change too! That said, here’s what you can look forward to based upon the new NIST password guidelines:
- No more frequent password changes. Research has shown that forcing people to change complex passwords wasn’t improving security. If anything the password was only incrementally changed, and that change was too predictable to result in any significant security gain. The new rules suggest only requiring a change if a security incident has occurred.
- The burden of password security should be on the service requiring a password. Instead of relying on the user to make sure their password is complex via seemingly arbitrary and complex rules, let them create longer, less-complex passwords and check their creations against a database of known or poor choices.
- Require longer but not necessarily more complex passwords. Simple phrases (checked against a central database of known or too easy to guess passwords) of sufficient length aren’t harder to memorize but become exponentially harder to crack as compared to shorter but more complex passwords. See xkcd’s (internet) famous explanation of this concept.
- No more password hints and secret questions. These practices were only crutches that propped up the complex password practice. Hints invariably were either too vague or too much information, and Google, for better or worse, has made knowledge-based authentication like “Mother’s maiden name” useless.
- Organizations and services will store passwords with stronger, more complex methods. The massive password breaches of previous years were only useful to hackers because they were stored in weakly protected databases. The NIST guidelines spell out methods and standards that will make stolen passwords much, much harder to decrypt.
Until your services shed their old password rules, you may still be forced through some seemingly passé password hoops. Keep in mind that even “old-school” passwords are better than none, and complex passwords are better than short, commonly-used ones. Until your providers get on board, start making a secret list of nonsense phrases to prepare for the password revolution.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net