Who wrote the rule that says that passwords should have “both upper and lower-case letters, a number, and special characters”? And that they should be changed every 90 days? And that it’s OK to verify a password change by asking questions that anyone on Facebook could look up?
Well, that was NIST, the National Institute of Standards and Technology. And they’ve removed those rules. They’re as obsolete as using ‘monkey’ for a password, and that’s good, as the rules and the monkey were both just nonsense.
Anyone who has done the math can tell you that a 16-character password of nothing but lower-case letters is basically one answer in a set that is 26 raised to the 16th power. That’s 4.36 x 10 22, or 401,906,756,202,070,000,000,000,000. Or you can use 6 characters that include that ‘all possible characters’ rule, and that would be around 72 characters, to the 6th power, or 139,314,069,504. That long-but-simple password is 2.8 quadrillion times harder to guess.
This is, of course, based on stupid. Lots of it. Here are the basic assumptions, all wrong:
- Humans can remember super-complex 8-character passwords. Yes, maybe one of them. Not one for each banking site, let alone all the trivial web sites that demand a password.
- Online attackers can try to guess passwords in groups of trillions. They can’t, even on websites dumb enough to allow it; it would stop the ‘Net just from the traffic alone. A badly-built website would allow a few thousand attempts per day before crashing. Brute force guessing isn’t how attacks succeed on properly-configured web sites. Attackers steal your passwords with spyware, or they guess the top 100 most-popular passwords. Like ‘querty’ or ‘password’. They don’t run through every possible letter & number combination; that won’t work.
- Changing passwords on a calendar basis does something useful. Nope. The assumption is that we use the same password everywhere, and once it’s lost, it will be used everywhere else after 90 days. Hackers don’t wait 90 days, and we can’t change passwords daily. But some users do repeat passwords. Don’t do that.
- Asking questions about our own history is security.
Like ‘Pick your old address out of these 4 choices’ I’ve done it; they offered addresses of someone else I know that shares my name, my former address at an apartment, and my parents’ address, where I lived sometime in the prior century. I chose the answer of ‘Skip to next financial institution.’ - And finally, there’s the stupid assumption that attackers know that you mixed letters and numbers.
They don’t, and it changes the math. If you told them, “I only use upper case”, well yes, that speeds up guessing. But they don’t know if you used all available characters, or three of them. Forcing us to use ALL those character types doesn’t add any security–a brute force guessing program won’t know which characters to guess.
OK, so the new rules are sensible, by comparison. They’re here:
https://pages.nist.gov/800-63-3/sp800-63-3.html
Most of it is government lawyer-babble, an extreme case of what they call ‘terms of art’, and it spends a lot of pages on what standards and rules apply to what type of activity.
The recommendations include these items, all sensible:
- Password systems should reject dictionary words as passwords, along with the name of the service, or choosing a user name as the password.
- Passwords should be at least 8 characters, and should be allowed to be as long as 64 characters.
- Passwords will be stored as encrypted data, not as passwords, in a “one-way hash.” That means that a web site will ask for “the password that will encrypt to something we know”. In other words, they couldn’t tell anyone (or you) your password even if they wanted to, only if it matched what was entered when it was created. Not “it’s one letter off”, which is an answer I’ve gotten from a (former) bank, without even asking.
What does this mean for us?
Well, it means that “ZebraInTheCornfield” is a higher-security password than “f0OT6a11”, and it’s easier to remember and to type. And ‘monkey’ isn’t allowed, ever. Choose your passwords accordingly, with phrases of at least 16 characters that are easy to remember, but not something anyone else would know.