For years, ever since the web really went worldwide and the internet encircled the globe, we’ve been told by IT folks, sites evincing concern for our privacy, and employers to make sure our passwords were robust and strong. Some sites even had little meters that would rate the strength of our proposed passwords on a scale from “weak” to “very strong.” The gold standard was passwords of at least eight alphanumerics (including upper- and lower-case letters, punctuation symbols, and special characters such as &, @, and #). And never use easily remembered words such as your name or alma mater or mother’s maiden name, or your social security or phone number, and for goodness’ sake, change them like clockwork every 90 days.
All that advice stemmed from a report from the National Institute of Standards and Technology, “NIST Special Publication 800-63,” which was written by a NIST manager about 15 years ago. Turns out that manager was wrong.
The eight digits didn’t seem to be much of a hurdle to run-of-the-mill hackers, and the advice (mandate, really, in the corporate world) to change them led to users going from a password of eXampl31 to eXampl32 three months later. This ended up with the passwords hackers could predict and algorithms that targeted such behaviors. NIST now admits those “best practices” were far from the best in terms of cybersecurity, plus, they had a “negative impact on usability.” Or, in other words, they were a recurring pain in the neck for all those working on networked computers.
Randall Munroe, a cartoonist, wrote a piece looking at the difficulty of cracking a NIST-approved password (Tr0ub4or&3) and a password consisting of four random words (correct horse battery staple). According to him, a computer programmed to make 1,000 guesses a second would take about three days to crack the first and about 550 years to conquer the second.
NIST has rewritten that publication (the new one can be found here). It drops the suggestion to change them every 90 days and to use upper- and lower-case letters, along with any number or symbol on a keyboard. Instead, a long, easy-to-remember string of words is recommended. And replace it only if there are signs your security wall has been breached.
I applaud NIST for updating their guidelines, but I wonder what took so long. If a cartoonist can figure out the vulnerability of those earlier passwords, certainly the whiz kids at NIST should have figured them out as well? Or maybe those software savants aren’t all that “savanty.”