Passwords, Myths, and the Wrong Things You were Taught.

     Circa 2003, Bill Burr wrote the primer NIST would eventually adopt as its official guidelines for generating passwords. Those rules we all now know and love, such as using capitalized letters and numbers, not using variations on old passwords, routinely changing passwords, are all his original ideas. Unfortunately for Burr, there was little research at the time on what made a password secure and how we should handle them. Consider it odd that password-securing a computer has existed for decades. The first known usage was at MIT in 1962 and password encryption (to prevent theft) was born in the 1970s by the US Air Force. It would take another 40-some years for a guideline to be formulated and published, to which 14 years later, we'd all learn is mostly wrong.

     Those irritating rules about capitalization and symbols, as it turns out, don't really make our passwords more secure. Most people use the first letter to capitalize and throw symbols on the back, any cracker worth is salt knows this and adjust their software accordingly. The next thing we do is use short phrases that are tied to us so its easy to remember, like our home cities, another bad idea for social-engineering types who look for these things. Then we have the annoyance that we sometimes are routinely required to change our passwords.

NIST Logo     What does make a password more secure is length sans the symbols. A long, no so related, phrase 16 or 24 characters in length is orders of magnitude harder to break than a one or two word short password with symbols and capital letters. This is the basis of the new NIST guidelines. Among other guidelines, drop the periodic password changes is also recommended. The reason for these changes concerns the fact that we often make passwords less secure upon each iteration in order to help us remember. The only reason to change passwords, according to the new guidelines, is if there are reasons to believe yours has been compromised.

     The caveat is that passwords vulnerable to dictionary attacks are easier to break that those that aren't. Increasing length is great, but if that phrase is a popular phrase or something easy to string like "iiveonboxstreet", you're only somewhat better off by virtue of length than "boxstreet". What can we do to really make a hard password? Well, random collections of words are a good choice instead of phrases and toss out the capitalization and symbols to make it easier to remember. For those of us that are SciFi fans, we can incorporate langauge that isn't even "real words". We are, however, beholden to system rules so don't expect everyone to drop symbols and capitalization over night, in which case just follow a standard procedure like capitalization of first letter and a symbol on the back and create that new long password that is easy to recall. Oh and for the love of all that is holy, stop using the same passwords for all your accounts, that password is broken your entire digital life is broken with it.

     Here is a good article that details most of the goodies in the new NIST guidelines. Don't Pass on the New NIST Password Guidelines

© 2016 Zachary G Wolfe -- Remember to turn your brain off for a reboot sometimes...