Tagxkcd

NIST updating password recommendations

The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

(Full story is behind the Wall Street Journal’s pay wall.)

You’ve used P@ssw0rds like this for years. It’s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to match.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He looked for some real-world data to see what people were doing.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.

Given there wasn’t much research into the field of password security and no real-world password stockpiles to pull from, he did the best he could.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.

Now there is better password data available. Have I been Pwned currently lists 3,999,249,352 accounts from 228 websites. My own data has been breached over a dozen times including by our own government

The truth about passwords is we’re bad at passwords. I am terrible at passwords. That’s why I’ve used 1Password to keep my passwords secure. I don’t know most of my passwords because they are nonsense and very long. I know a single master password.

Given this new data, NIST is updating its recommendations which will slowly be adopted by the government and companies as it did originally.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

This XKCD comic explains the math behind cracking these types of passwords. I look forward to leaving the P@ssw0rd days behind and welcome the correct horse battery staple.

Password requirement comic from XKCD.

Dispatch from the Trenches #8

XKCD is the only web comic I’ve managed to be continually challenged and delighted by every single time I read it. Today’s is no exception.

Seven

When you’re finished reading, hold your mouse over the screen and wait for the alt text to appear. It adds to the comic.

Read the Alt Text.


Josh Ginter’s reviews are like tasty roast chicken for the eyes. The photography is beautiful and the writing thoughtful. His latest review of Overcast is one such experience. His views on Overcast mirror my own. I’ve used it since it was released and haven’t looked back. The Smart Speed and Voice Boost features are as indispensable as they are seamless.

Overcast 1

Smart Speed analyzes the downloaded episode and shortens areas of downtime or pauses in speech to speed up listening time. This is handled brilliantly. Conversations sound smoother and less robotic than a generic speed boost option. There is even an indicator in the settings menu to indicate how much time you have saved by using Smart Speed. I would wager Smart Speed alone is worth the in-app purchase.

Voice Boost is equally impressive. Voice Boost also analyzes the downloaded file and boosts areas where speech is quieter. This eliminates the need to manually up the volume when a quiet speaker takes the mic and, generally speaking, makes the whole listening experience easier on the ears.

These two hallmark features are what sell Overcast for me. They are so well executed and act so invisibly that I usually forget I have them turned on.

Overcast 2

Another feature I love is the Twitter-based recommendations.

y recommending a show, Overcast can use your Twitter account to send your recommendations to your followers. Overcast doesn’t tweet on your behalf, but rather reads the recommendations of the people you follow and shoots the results into the “Recommendations from Twitter” section in the podcast directory.

I’ve found some great new podcasts I’d never heard of based on the recommendations from Twitter. I love this app and you’d be nuts not to read Josh’s review. If podcasts aren’t your thing, he takes equal care with the same spectacular photos on his reviews of pens like the TWSBI Diamond 580AL and paper like the Field Notes: Night Sky edition.


So That’s It Then

I was turning right onto James, from Broadway, in Seattle. And I said it, as if I felt like I just pulled off some great heist as I mumbled under my breath: “So, that’s it?”

I struggled with what to say about this piece. Just go read it. It’s a beautiful story.