In a former life, I was a system administrator for not only the PC repairs company I worked for, but a number of other clients as well. One of the main issues I had was deciding on password complexity and what kind of measures needed to be taken to protect passwords. I ended up not implementing policies like changing it every 30 days and not requiring special characters, because the reality is that complex passwords just aren’t that easy for the average human to memorise.
With the rise of AI now implementing patterning along with dictionary attacks, even previously “secure” passwords like “!1Q2w3E4R?” are not safe, because machines can easily crack them. Well, thanks to a new password policy standard from the National Institute of Standards and Technology (NIST), we can all start implementing passwords that are actually secure, instead of passwords that are easily cracked using brute force methods.
The current password standard was influenced by a 2003 NIST report creatively labeled “Special Publication 800-63. Appendix A” (I remember it, because I had to read it as part of my studies at college). In it, NIST’s guidelines recommend the use of special characters, non-dictionary terms, and long password lengths to add to existing password security measures like hashing and encrypted private key transactions.
The guidelines were written by NIST employee Bill Burr (no relation to the comedian), and were written without knowledge of how effective the policies were, or how people were going to adopt them (not because of incompetence, mind you, but because no-one was really thinking about this problem to begin with). The report was published in 2003, but today people still write their passwords on notes stuck to their monitors, or leave clues and hints on their desk to remind them what their password is, and they still choose to pick one only eight characters long.
NIST’s new guidelines, published on 22 June 2017, are now much more realistic and effective in a world where the top ten worst passwords continue to be used to secure valuable systems. Titled “Digital Identity Guidelines”, the four-part document now recommends that two-factor authentication should be used wherever possible, whether through a physical security chip, a device unlocker that uses Bluetooth, a biometrics system, or a combination of everything, including a password. The guidelines also suggest that dumb authentication methods using complex tools are pointless – for security to remain effective, the method should not be annoying.
It’s honestly amazing to me that it took fifteen years for someone at NIST to realise this and put it down in an official document. It’s even the subject of a famous XKCD comic.
Buried a few pages down in the “Authentication and Lifecycle Management” part of the report, page 62 imposes new rules for software and hardware vendors adhering to the standard. These include:
- Don’t frequently require passwords to be reset; only require a reset if there is a chance that account details have been compromised.
- Allow character lengths up to 64 characters to support passphrases.
- Don’t impose rules that require the use of special characters.
- Don’t hide text immediately as it’s being entered to avoid login errors.
- Don’t time text entry for two-factor authentication entries to one minute because of outside interference.
- Biometrics don’t always work with one thing, so use more than one.
- Don’t allow users to choose short passwords.
- Don’t allow users to use passwords that are the same as their login names.
- Allow users to reset a password on their own without calling in IT support.
The bottom line of the report, and the whole reason for the rewrite in general, is that logging into anything securely these days is a pain in the neck. If security becomes a bothersome thing to implement, there’s a greater chance that users will try to find ways around the system in order to make their lives easier (which includes leaving a weight on an arrow key to prevent a computer from locking).
If you’re reading this and wondering whether changing all your needlessly complex passwords now is warranted, you should have a look at whether you can use a passphrase instead. Google and Microsoft’s services support the use of passphrases up to 32 characters today, and these are much easier to remember than the old stuff into which we were previously forced. Alternatively, use a password manager like LastPass, and use a passphrase for your LastPass account.