Traditionally, passwords were supposed to be super long, super complex, and super hard to remember! Passwords needed to be 8 or more characters long, use UPPER and lower case letters, numbers, and some type of symbol. Passwords were required to change every so often (usually every 90 days), and passwords managers were a NO-NO.
These guidelines often left users flustered and frustrated resulting in passwords being “Spring2017!” (that fits right?) or a super complex password that is written on a post-it note on their monitors.
“The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users,” says Paul Grassi, senior standards and technology adviser at NIST, who led the new revision of guidelines.
The NIST recently released new password guidelines that relax the complexity level of passwords, stating instead it is better to use passwords that are simple, long, and memorable. Passwords that are a mix of 4-7 random words work better than complex passwords, and they are easier to remember. Along with relaxing the complexity requirements, they have changed their opinion on when passwords should expire. The good news – NEVER.
“We focus on the cognitive side of this, which is what tools can users use to remember these things?” Grassi says. “So if you can picture it in your head, and no one else could, that’s a good password.”
While it may seem that the new relaxed standards would make it easier for the bad guys, it in fact, makes it harder. The length of a password, not complexity, are what make it hard to crack.
“It works because we are creating longer passwords that cryptographically are harder to break than the shorter ones, even with all those special character requirements,” Grassi says. “We are really bad at random passwords, so the longer the better.”
Also, forcing users to change passwords every 90 days negatively affects users with almost no gain in security. Users tend to change the last character of their password instead of the entire password.
“I’m pretty sure you’re not changing your entire password; you’re shifting one character,” he says. “Everyone does that, and the bad guys know that.”
So Now How Do You Create A Secure Password?
- Think of 4-7 random words that you can remember. Make it personal (it’s easier to remember that way). fishdogsgamerroundrockblogwork – That is one very long password, but for me it is easy to remember. Why? Because I own fish and dogs, I am a gamer, I live in Round Rock, I like to blog, and I work a lot.
- Think of a phrase that is easy to remember for you, but no one else would think of it. mydogzeusis7yearsold – This one is very easy to remember.
- Keep personal information out of your passwords (birth date, start date at your job, phone number).
- If possible always take advantage of 2-factor authentication. This simple method of security is the most secure method of logging and keeping your data secure.
2-Factor Authentication – What Is It?
2-Factor Authentication, also known as 2FA, two step verification, or multi factor authentication (MFA), is an extra layer of security that utilizes not only your memorized password, but also something that ONLY that user has access to (such as an APP on their phone, or access to their text messages)
For example, you log into your banking website with your banking username and password, upon successful validation of the username and password you can opt to be prompted for another form of authentication (2FA). The easiest method of 2FA is to use an Authenticator application on your phone (Google Authenticator is my personal choice) or to have a text message code sent to your phone. You must put in the code from one of the forms of 2FA in order to be successfully logged into your banking website.
This method makes it almost impossible for attackers to access your account information as they would need to know not only your username and password, but have access to your cell phone in order to get the one time code that is sent to you.
Should I Go Change All My Complex Passwords Now?
Unfortunately, the new standard is just that, new. Not all companies/websites/providers have adopted the new standard, yet. Therefore, you will still be prompted to include symbols and numbers. Hopefully, going forward more websites will adopt this new method of password security in order to make all of our lives easier.