New password guidelines from the National Institute of Standards and Technology suggest the way we've been making passwords isn't as secure as we think. The original set of guidelines was written back in 2003 by Bill Burr, who now regrets much of his advice. His suggestions became the basis for most of today's password requirements, like requiring passwords to be changed frequently and include alphanumeric characters.
But we've learned a lot about computer security since then, and requiring people to make complicated new passwords every 90 days may be making our passwords less secure. Beyond the fact that technology — and password cracking — has advanced, these guidelines didn't consider how users would react to the requirements. While some of us will go out of our way to create the strongest passwords possible, many of us simply meet the minimum requirements. After all, passwords are already hard to remember and no one wants to make it even harder on themselves.
For example, when we're required to use letters, numbers and special characters in a password, many of us will use simple substitutions. So when our password "password" is rejected, we may just turn it into "P4ssword!" These substitutions are well-known and easily guessed, so they do little to secure our accounts. And when we're required to change our passwords regularly, we're likely to change "P4ssword!" into "P4ssword!1" — which is, again, an easily guessed substitution.
The new guidelines stress longer passwords that don't have to be so complicated and should only be changed after a security breach. Here's a rundown of the new requirements:
- Passwords should be 8 to 64 characters, with the guidelines stating that password length is the biggest contributor to password strength.
- All ASCII and Unicode characters should be allowed in passwords, but not required. As we mentioned, requiring such characters simply encourages simple substitutions that don't make passwords stronger.
- Certain passwords should be forbidden, like passwords known to have been previously stolen, simple dictionary words, repetitive or sequential characters (like "aaaaaaaa" or "12345678"), or the name of the service, user, or other account-related information.
This gives you a lot more room to make a password that can be easy for you to remember, but hard for others to guess. Under these guidelines, a phrase could make for an excellent password — even if it just uses simple dictionary words, the combination of words and length of the password would make it tough for hackers to crack.
Unfortunately, just because these new guidelines have been released doesn't mean the services that require passwords are going to start following them. Until the internet catches up with these standards, you're stuck creating complicated passwords. Still, that doesn't mean they need to be weak passwords: you can follow the NIST's guidelines on your own and use a password manager to help you keep track of your passwords.
[Image credit: change password via BigStockPhoto]