Remember when the IT guy in your office told you to use alphanumeric characters in your password? And then gave you a look when you asked him what alphanumeric meant? Well, call him right now. And tell him he needs to update your company’s password security protocols because there has been a shakeup. Your secure passwords are no longer secure.
The Standard of Secure Passwords
Bill Burr, a 72-year old former National Institute of Standards and Technology (NIST) manager, wrote the document that set the standards for secure passwords back in 2003. The eight-page document, “NIST Special Publication 800-63. Appendix A”, laid out the recommendations we have become all too familiar with.
Use special characters such as @ and ^. Use irregular capitalization. And include at least one numeral. Burr also recommended that people should change their passwords every 90 days. This is to create an extra layer of security. Governments and businesses everywhere then adopted these recommendations.
Predictability Led to Vulnerability
Yes, people ended up creating passwords that appeared secure on the surface. But the human tendency to be predictable ultimately rendered these passwords vulnerable. Eventually, hackers were able to devise algorithms that specialized in targeting common weaknesses.
For example, most folks would use the @ symbol as a substitute for the letter A. So, if someone set “@Lf@lF@” as their password, an algorithm could break that soon enough. Probably in the same amount of time it would take a hacker to order a pizza. It does not help matters when people tend to recycle their passwords. They tend to simply make a minor alteration to it. So “r@$C@L” becomes “r@$C@L1” then “r@$C@L2” and so on.
The Guidelines Were Misguided
Burr himself admitted in an interview with The Wall Street Journal that those guidelines might have been misguided. “Much of what I did I now regret,” he said. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” he added.
What Are the New Standards?
The NIST evidently agreed with Burr’s sentiments. The organization published new recommendations in June that did away with much of Burr’s guidelines. Some of the key points from the new standards are:
- No mandatory periodic password resets. Since users tended to just alter their old passwords by adding an extra character or number.
- Allow users to view their passwords while they are typing. This is to prevent errors and to encourage users to type longer passwords.
- Allow users to copy and paste their passwords into the password field. This can be aided by the increasingly widespread use of password managers.
- Require the checking of every new password against a list of commonly used passwords. Including those with sequential or repetitive characters and dictionary words.
- Disable password hints or the use of knowledge-based authentication. The reason behind this is that most of the personal information this requires can easily be found on social media.
- Limit the allowed number of password attempts to combat online brute force attacks.
Create Secure Passwords
Ultimately, you would be better off formulating a password that contains random yet easily remembered words such as “bicyclecreeksundae” and other such whimsical phrases. You can also opt to use a password manager such as LastPass or Dashlane. Be sure to look for a password manager that can save your data both on your machine and in the cloud while providing high-level encryption.
So now you know a better way to create secure passwords. Follow the new guidelines as soon as you can!
