Vary your password. Give it upper- and lower-case letters, a couple of numbers, a symbol or two. Change it frequently – at least every 60 days. Those are the security tips we’ve heard for years, with increasing urgency and complexity. And they’re all wrong.
New secrecy standards issued by the National Institute of Standards and Technology (NIST) contain some surprising recommendations. Ditch the old standard of unmemorizable strings of numbers, letters and symbols, and the words with ‘$” substituting for “S” or “1” standing in for “i” or “l.” It is better to simply have a string of several unrelated words that are meaningful to you, but would not be to anyone else. For example, no more Red$k1ns or #12$5Fj(vB73. Instead, use a string of words that you are certain have never appeared online in that order before, such as “SaturdayWindowGuarddogGreenish.”
NIST is a government science lab, a division of the Department of Commerce, which was founded by Congress in 1901 to standardize weights and measurements. It is the backbone of the interoperability of American tools, machines, manufacturing, and technology, and affects everything from the electric power grid to atomic clocks to the composition of steel.
It also weighs in with recommendations on electronic security, and is in fact the defining body that determines what constitutes adequate security measures for electronic identification and verification. While these determinations are merely advisory opinions for the private sector, they are legal mandates for federal departments and agencies. When new cyber-security standards are issued, they make a huge splash in the federal public sector, but cause quiet ripples throughout the rest of the economy.
The new guidelines suggest three major changes….
NIST has been working on new secrecy protection standards (password recommendations) since early 2016, and just issued new guidelines for federal agencies. Knowing that these guidelines are used by the private sector as starting points for corporate security measures, the NIST released them to the public. As the cyber-security site PasswordPing notes, the new guidelines suggest three major changes: 1) stop requiring frequent password changes – change passwords only when they may have been compromised; 2) stop requiring complex algorithmic content; and 3) require passwords to be screened against lists of known passwords from data breaches.
For those who would like to get an idea of whether their passwords are secure, PasswordPing offers a free password check service. You can compare a chosen security key to the database of stolen passwords, to see whether it already has been compromised. Many hackers try to unlock your accounts with “brute force attacks,” which simply use powerful computers to run series of characters in repeated attempts to break into your account. It’s a little like trying to open a simple combination lock by trying 0-0-1, 0-0-2, etc. until you hit the right sequence. The tools used for those attacks contain lists of previously stolen passwords, knowing that not only are people creatures of habit, but that most people are not that creative, and really do think alike.
The reason NIST suggests abandoning the words with substitute symbols is that they are too easy to guess. For a fun learning exercise, try running a few types of passwords through the security checker at https://howsecureismypassword.net/. “Red$k1ns” would take an average fast computer about 9 hours to crack; “Red$k1ns$t!nk”, about 3 million years (maybe there are more lessons than one in there). “SaturdayWindowGuarddogGreenish”, on the other hand, would take that same computer over 2 decillion years to crack. I don’t even know how many that is, but it sounds like a lot, and it’s a lot easier to remember. And “#12$5Fj(vB73”, which looks so high-tech and impressive, clocks in at a paltry 34,000 years. Of course, for a supercomputer of the type used by the most sophisticated hackers, those times are cut to tiny fractions of the estimates above.
The final recommendation, that passwords no longer need to be changed as a matter of routine, is given for the simple reason that, like the complexity rule, it makes them hard to remember. It also leads to carelessness: if forced by a site administrator to change a password at an inopportune moment, a user may come up with a weak one, intending to change it later. It’s much better to have a string of randomly chosen words, and remember them for a very long time. But don’t take “SaturdayWindowGuarddogGreenish” – that’s mine.
