NIST updating password recommendations

The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

(Full story is behind the Wall Street Journal’s pay wall.)

You’ve used P@ssw0rds like this for years. It’s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to match.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He looked for some real-world data to see what people were doing.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.

Given there wasn’t much research into the field of password security and no real-world password stockpiles to pull from, he did the best he could.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.

Now there is better password data available. Have I been Pwned currently lists 3,999,249,352 accounts from 228 websites. My own data has been breached over a dozen times including by our own government

The truth about passwords is we’re bad at passwords. I am terrible at passwords. That’s why I’ve used 1Password to keep my passwords secure. I don’t know most of my passwords because they are nonsense and very long. I know a single master password.

Given this new data, NIST is updating its recommendations which will slowly be adopted by the government and companies as it did originally.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

This XKCD comic explains the math behind cracking these types of passwords. I look forward to leaving the P@ssw0rd days behind and welcome the correct horse battery staple.

Password requirement comic from XKCD.