Help Desk 614.384.0020 support

Redefining “Secure”. Passwords are the first line of defense in any organization’s computer security. In the nineties many people’s first interaction with a password was either to log onto Windows (if you bothered with one) or onto your internet service provider’s dial-up connection (e.g. PeoplePC, CompuServe, etc.). After that it was your first email address or instant messaging platform. That was pretty much all of them. Some very technical people might have interacted with passwords to log onto BBSes or old mainframe computers at work, but those were fewer and further between.

But as the nineties became the two-thousands, online services added one after another logon that required one after another password. As the online explosion happened experts were telling people, regulators, and companies how to make sure their passwords were strong:

  1. Not a dictionary word
  2. A mix of characters (capital, lower case, numbers, and symbols)
  3. Between eight and sixteen characters long
  4. A password you have never used anywhere else
  5. It changes every thirty to one hundred eighty days

These (and other more technical-based aspects of password policy) became the standard for how passwords have been designed for over twenty years. The reason they have been the standard, though, is because the National Institute for Standards and Technology (NIST) literally and legally set the standard, especially one man: Bill Burr.

However, NIST changed their policy recommendations as of June 2017. The reasons for this are varied but break down to one principle: they didn’t make things more secure. They were, in fact, based on the flawed assumption that a password was going to be broken by a human being attempting to guess the password. If this were true then these wouldn’t be terrible recommendations.

The reality is that it’s not people guessing passwords that gets them breached. Passwords are broken by automated scripts written by and for malicious people, and the computers upon which they run these scripts don’t care about almost any of those things. To a computer the ASCII character “a” is “097” (hexadecimal) or “01100001” (binary) while “$” is “24” or “00100100”- an inconsequential difference.

Taking the above standards one at a time will show how they make things less secure.

  1. Not a dictionary word

Humans think in language, pictures, and other related, systematic forms. The idea that you shouldn’t use a dictionary word is very much tied up in assuming that a human would be the one guessing your password. Instead the new guidelines allow for dictionary words, but ask that you use them in a “passphrase” (a series of words strung together in a memorable fashion) instead. More on passphrases later.

  1. A mix of characters (capital, lower case, numbers, and symbols)

Adding special characters makes a password more complicated for a human as noted above, but not for a computer where the work of breaking passwords is taking place. In fact, this recommendation was likely made assuming that the malicious actor would literally be watching over your shoulder without a pen and paper on hand. If a person was watching you type your password it would be better to have a complicated, unmemorable password so that by the time they were able to write it down they had confused what characters were where. But this is not what happens in the real world.

  1. Between eight and sixteen characters long

This part was intended to make sure passwords were long enough to be complicated but actually short enough to be remembered. Using a random password generator on the internet, you might get a password like “X9}&sW0d.” This is eight characters long, the minimum length. Have you memorized it yet? More people would base their password on a word like “dictionary” and get something like “D1c7!0n4rY22.” This looks like the word but test yourself. Look at the password for ten seconds and then cover it up. There are two “i’s” in the word “dictionary.” Which one is replaced with the number one? Which one is an exclamation point? What is the number at the end? Which other letter is capitalized? Maybe you have a good memory and got it correct this time. What about tomorrow? Or after a three-day weekend? Now what about “sleepkneepassageplay?” Do you think you can remember that in ten seconds? Tomorrow morning? Next week? It’s possible you won’t forget it for years having just seen it now. More on passphrases later.

Due to the insistence on these complex passwords with strange characters it led to people doing bad things with their passwords. Many people would cheat the system by using an uncommon word and adding a number to the end, like “Homeward1.” When it came time to reset their password they would change it to “Homeward2.” If a malicious actor discovered that “Homeward2” was your password but that didn’t work, what would be the next thing they do? Make it “Homeward3” then “Homeward4” and so on until they got in. They could even do it manually in a reasonable amount of time.

Alternatively people would write down their overly-complex password and put it on their computer monitor. This would make it readily available for anyone who walked by, not just the person who was supposed to use the password. This writer has personally seen passwords displayed in this fashion used for purchasing government equipment while working on their computer. It could easily have been used to purchase thousands of dollars’ worth of safety equipment. The security flaw here is, hopefully, apparent.

  1. A password you have never used anywhere else

This part is actually staying in the NIST recommendations, but is becoming easier because of the others. With the old password system where you used passwords like “Homeward4” and “D1c7!0n4rY22” using a different password everywhere would be near-impossible for most people. It was much easier to have just a couple passwords, maybe one for work and the other for personal if that much variety, and repeat them everywhere. The recommendations were also originally written in 2003 when most people had to enter at most two or three passwords. Now you have two or three just at work, maybe three or four social media accounts, two to five different email accounts, your bank(s), your credit card(s), your phone’s account for the App/Play store, the phone itself, your personal computer(s), tablet(s), wireless router, and so on. At minimum that is a list of fourteen passwords to remember, an impractical number for anyone. The advantages of the new password recommendations from NIST is that passwords are easier to remember and thus easier to keep straight without resorting to other, worse security practices.

The reason for this part of the recommendations is so that if someone somehow breaches one password, say your personal email address, they don’t then automatically have your banking password, your work email password, and your social media passwords at the same time. You would only need to worry about resetting your email password instead of all fourteen.

Another modern advantage to help with this problem is that now there is a category of software called password managers. These are programs like KeePassX and LastPass. These will encrypt and store your passwords on your computer or online and you only need to remember one good password for your computer and one good password to get at the rest. Then you can copy and paste them into whatever system you need. Some will even integrate with your browser to enter them automatically for you if you so desire.

  1. It changes every thirty to one hundred eighty days

I won’t belabor this point any more than I have to, but this was one of the main reasons for the sequential changes in password and/or writing them down in an obvious place. By the time people memorized their “very good” password they had to change it again. This was just not a reasonable thing to do maintain. Now it is recommended that passwords not change until there is reason to believe that there has been a security breach.

So how should you come up with passwords now? However you want. Make absurd word strings like “sleepkneepassageplay” or use lines from your favorite book, speech, song, or poem. One of this writer’s hobbies, for example, is mythology, and so might use the opening lines of Homer’s Iliad: “Singogoddessoftheruinouswrathofachillessonofpeleus” (depending on your translation). That is a fifty-character password. It would take an unreasonable amount of time for that password to be cracked by a computer and, short of being stated here, it is extremely unlikely that a human would guess it. Meanwhile it is completely reasonable to remember it from the time of creation on. (For the record, that is not this writer’s password for anything).