Isn’t it fun to use different passwords for all of the dozens of accounts you use and just when you think you’ve got them memorized you’re forced to change them every few months? I don’t doubt that there are folks out there who appreciate the mental challenge, but for most of us it’s added to the list of minor annoyances in our daily lives.
Well, let me share some good news. The standards on password usage are changing. Bill Burr (not the comedian) came up with the original National Institute of Standards Technology (NIST) publication in 2003, which gave guidance to developers on how to structure identity authentication for users of a system. However, Burr didn’t have fifteen years of real-world data on computer/network security to use as a basis for the standards, so he had to use a 1980’s whitepaper to create guidelines in the 21st century. Now, and over the last decade, we’ve amassed tons of data to illustrate what does and doesn’t keep our records secure. Government offices are increasingly providing more services online such as bill payment and access to information, so it’s important for us to be familiar with and share best practices for securing information and protecting identity.
Past ‘Best’ Practices
Before I tell you about the new standards, let’s look at some of the best practices we’ve come to know for password usage in most systems. I consider myself fairly tech-savvy, so over the course of the last decade I’ve learned how to follow some of the best password creation techniques for nearly all of my personal and professional accounts. This Lifehacker article from 2014 lists one of the methods I’ve used for several years:
- Use a memorable sentence or phrase and use abbreviations and special characters to spell out a password. Like this: TxRecBi#1! = Texas Record Blog Is Number One!
These days, the requirements for creating an account with any retailer or service usually includes using a minimum of 8 characters, upper and lowercase, and must also use numerals and a special character. So even if you don’t come up with a clever phrase to abbreviate, you still have to use a combination of letters, numbers, and punctuation in order to access your account.
It’s no wonder that password management software has become a popular and reliable tool for many people who just want to remember one master password rather than dozens of them. I personally haven’t used a password manager because I’d likely forget the master password, and then be locked out of everything until I reset it.
We’ve also gotten used to having to set up answers to security questions so that we can recover our password if we forget it. Usually it’s something like “What is your maternal grandmother’s middle name?” or “What is the street name of your childhood home?” I recently noticed a unique security question on my gym app that made me laugh: “What is the name of the city where you got lost?”
And, of course, just as soon as you’ve got a complicated password memorized, the system forces you to change it, and sometimes you cannot reuse a password you’ve previously used.
So, despite requiring the memorization of multiple passwords with creative structure, and asking personal questions before allowing a password reset, people have continued having their passwords hacked. Computer security experts have come to realize that the methods we’ve been relying on have basically failed to protect our records and identity. If you’re a fan of nerdy web comics, this XKCD panel about password strength sums it up nicely: https://xkcd.com/936/.
New Best Practices
The new NIST guidelines direct systems and application developers to incorporate authentication methods that result in users with passwords that are statistically harder to crack. Specifically, the NIST publication refers to ‘memorized secrets‘, which are defined as “a type of authenticator comprised of a character string intended to be memorized or memorable by the subscriber, permitting the subscriber to demonstrate something they know as part of an authentication process.” The new guidelines aim to make it easier for users to create secure passwords that are easier to remember but harder for a hacker’s algorithm to guess.
Many of the new guidelines for password authentication contrast the password usage rules that we’ve been following:
- Minimum of 8 characters, but they more strongly recommend requiring a minimum of 64 characters. So, essentially we’ll be creating more of a passphrase than a password.
- Passwords will no longer be required to have a mixture of upper and lowercase characters with numerals and special characters interspersed. Data has shown that those requirements made it overly complex for the average user to create a password, and actually makes it easier to be cracked by identity thieves.
- No more security questions or hints to recover the password. Storage of additional personal information hasn’t do much to protect access to the account, and users end up having to reset the password regardless.
- No more requirement to change the password periodically as a matter of routine, but the user should be made to change their password if there’s any evidence of the account being compromised.
So it’ll be good to see these new guidelines roll out into the real world, but I’m assuming it’ll take a few years before all of the systems I currently use to catch up. The next time you have to create a new password or help a customer reset theirs, try using the new guidelines for extra data protection.