password-528286738

All That Password Advice? Forget About It!

Aug. 24, 2017
Do we really need all these upper, lower, special characters, numbers, and spaces in passwords that then have to be changed every time we turn around?

For years, ever since the web really went worldwide and the internet encircled the globe, we’ve been told by IT folks, sites evincing concern for our privacy, and employers to make sure our passwords were robust and strong. Some sites even had little meters that would rate the strength of our proposed passwords on a scale from “weak” to “very strong.” The gold standard was passwords of at least eight alphanumerics (including upper- and lower-case letters, punctuation symbols, and special characters such as &, @, and #). And never use easily remembered words such as your name or alma mater or mother’s maiden name, or your social security or phone number, and for goodness’ sake, change them like clockwork every 90 days.

All that advice stemmed from a report from the National Institute of Standards and Technology, “NIST Special Publication 800-63,” which was written by a NIST manager about 15 years ago. Turns out that manager was wrong.

The eight digits didn’t seem to be much of a hurdle to run-of-the-mill hackers, and the advice (mandate, really, in the corporate world) to change them led to users going from a password of eXampl31 to eXampl32 three months later. This ended up with the passwords hackers could predict and algorithms that targeted such behaviors. NIST now admits those “best practices” were far from the best in terms of cybersecurity, plus, they had a “negative impact on usability.” Or, in other words, they were a recurring pain in the neck for all those working on networked computers.

Randall Munroe, a cartoonist, wrote a piece looking at the difficulty of cracking a NIST-approved password (Tr0ub4or&3) and a password consisting of four random words (correct horse battery staple). According to him, a computer programmed to make 1,000 guesses a second would take about three days to crack the first and about 550 years to conquer the second.

NIST has rewritten that publication (the new one can be found here). It drops the suggestion to change them every 90 days and to use upper- and lower-case letters, along with any number or symbol on a keyboard. Instead, a long, easy-to-remember string of words is recommended. And replace it only if there are signs your security wall has been breached.

I applaud NIST for updating their guidelines, but I wonder what took so long. If a cartoonist can figure out the vulnerability of those earlier passwords, certainly the whiz kids at NIST should have figured them out as well? Or maybe those software savants aren’t all that “savanty.”

Sponsored Recommendations

Flexible Power and Energy Systems for the Evolving Factory

Aug. 29, 2024
Exploring industrial drives, power supplies, and energy solutions to reduce peak power usage and installation costs, & to promote overall system efficiency

Timber Recanting with SEW-EURODRIVE!

Aug. 29, 2024
SEW-EURODRIVE's VFDs and gearmotors enhance timber resawing by delivering precise, efficient cuts while reducing equipment stress. Upgrade your sawmill to improve safety, yield...

Advancing Automation with Linear Motors and Electric Cylinders

Aug. 28, 2024
With SEW‑EURODRIVE, you get first-class linear motors for applications that require direct translational movement.

Gear Up for the Toughest Jobs!

Aug. 28, 2024
Check out SEW-EURODRIVEs heavy-duty gear units, built to power through mining, cement, and steel challenges with ease!

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!