Annoyed by Password Requirements? Don’t Fret, They May Get Much Easier

We receive calls, emails and messages almost everyday from clients who need their passwords recovered. It’s hard to place blame. Balancing life with work is tough enough, add annoyingly complex passwords and you have a recipe for seriously frustrating distraction. After all these years, you’d think technologists would have conjured up a better access route. The good news is that we may catch a much needed break in the coming months, at least when it comes to passwords.

New Research May Buck Industry Best Practices

You’ve probably heard, even from us at Platte River Networks, that you need to make passwords complicated, using numbers/symbols/hash marks, switching them regularly and don’t use the same one twice. According to the National Institute of Standards and Technology (NIST), you may not need to do any of those things. Not only were the previous guidelines borderline impossible to accomplish, even for seasoned security researchers, according to recent NIST research, those guidelines weren’t even the best approach to password security.

How’d this happen?

In one word: Bureaucracy. In 2003, an eight-page guide on how to create secure passwords was created by Bill Burr, the former manager at the NIST. Burr wasn’t a security expert, and most importantly, he didn’t know much about how passwords worked. At 72 and now retired, he wants to apologize for the plague he bestowed upon us all. “Much of what I did I now regret,” Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

In Burr’s defense, he wasn’t totally wrong. If you are going to use a short password, making it as complicated as possible is the way to go. But simple math shows us that if we create a passphrase of four simple words, or a sentence, we dramatically increase the difficulty in cracking the password, as demonstrated by this awesome comic:

Image: XKCD (published under a Creative Commons 2.5 license)

This comic demonstrates why the latest set of NIST guidelines recommends that people create long passphrases rather than gobbledygook words like the ones Bill thought were secure.

What Is NIST Recommending Now?

  • Keep passwords simple, long and memorable. The longer the safer.
  • Phrases, lowercase letters and typical English words are sufficient.
  • You don’t need special characters and a mix of lower and uppercase letters.
  • And most importantly, phrase passwords never need to expire.

“We focus on the cognitive side of this, which is what tools can users use to remember these things?” Paul Grassi, senior standards and technology adviser at NIST, who led the new revision of guidelines told NPR. “So if you can picture it in your head, and no one else could, that’s a good password. We are really bad at random passwords, so the longer the better.”

A Reminder that Computer Tech is still in Its Infancy

As Gizmodo points out, “Fifteen years ago, there was very little research into passwords and information security, while researchers can now draw on millions upon millions of examples. Bill also wasn’t the only one to come up with some regrettable ideas in the early days of the web, either. Remember pop-ads, the scourge of the mid-aughts internet? The inventor of those is super sorry as well. Oh, and the confusing, unnecessary double slash in web addresses? The inventor of that idea (and the web itself) Tim Berners-Lee is also sorry.”

We tend to focus on the biggest successes and failures in business and tech since the headlines drive our attention and clicks. Often, smaller exercises in trial and error in technology have greater effect. Gizmodo summarized it well saying, “If you get something right, like Jeff Bezos or Mark Zuckerberg have done, the rewards are sweet. If you screw up and waste years of unsuspecting internet users’ time in the process, like Bill did, you get to apologize years later (and still get a pension).”

Please don’t go changing your passwords or company password policy yet.  We will continue to monitor and test this dramatic change and once our task force and the industry confirms this change is truly safer and more effective we will prepare and roll out this change to our customers.  We also recommend implementing a Single Sign On solution in order to simplify the number of passwords one user must memorize.  We are including Single Sign On and other critical security tools in our new Intuition Security + offering coming this fall.  Stay tuned!