{"id":4862,"date":"2017-08-10T12:31:06","date_gmt":"2017-08-10T16:31:06","guid":{"rendered":"http:\/\/peroty.com\/blog\/?p=4862"},"modified":"2017-08-10T12:31:06","modified_gmt":"2017-08-10T16:31:06","slug":"nist-updating-password-recommendations","status":"publish","type":"post","link":"https:\/\/peroty.com\/blog\/shared\/nist-updating-password-recommendations\/","title":{"rendered":"NIST updating password recommendations"},"content":{"rendered":"<h3><a href=\"about:reader?url=https%3A%2F%2Fwww.wsj.com%2Farticles%2Fthe-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118\">The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!<\/a><\/h3>\n<p>(Full story is behind the Wall Street Journal&#8217;s pay wall.)<\/p>\n<p>You&#8217;ve used P@ssw0rds like this for years. It&#8217;s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to match.<\/p>\n<blockquote><p>\n  Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn\u2019t much to find, and he said he was under pressure to publish guidance quickly.\n<\/p><\/blockquote>\n<p>He looked for some real-world data to see what people were doing.<\/p>\n<blockquote><p>\n  He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.\n<\/p><\/blockquote>\n<p>Given there wasn&#8217;t much research into the field of password security and no real-world password stockpiles to pull from, he did the best he could.<\/p>\n<blockquote><p>\n  With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s\u2014long before consumers bought DVDs and cat food online.\n<\/p><\/blockquote>\n<p>Now there is better password data available. <a href=\"https:\/\/haveibeenpwned.com\/\">Have I been Pwned<\/a> currently lists 3,999,249,352 accounts from 228 websites. My own data has been breached over a dozen times including by <a href=\"https:\/\/www.washingtonpost.com\/news\/federal-eye\/wp\/2015\/07\/09\/hack-of-security-clearance-system-affected-21-5-million-people-federal-authorities-say\/\">our own government<\/a><\/p>\n<p>The truth about passwords is we&#8217;re bad at passwords. I am terrible at passwords. That&#8217;s why I&#8217;ve used <a href=\"https:\/\/1password.com\/\">1Password<\/a> to keep my passwords secure. I don&#8217;t know most of my passwords because they are nonsense and very long. I know a single master password.<\/p>\n<p>Given this new data, NIST is updating its recommendations which will slowly be adopted by the government and companies as it did originally.<\/p>\n<blockquote><p>\n  Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.<\/p>\n<p>  Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters\u2014since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.\n<\/p><\/blockquote>\n<p>This XKCD comic explains the math behind cracking these types of passwords. I look forward to leaving the P@ssw0rd days behind and welcome the correct horse battery staple.<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/imgs.xkcd.com\/comics\/password_strength.png?w=629&#038;ssl=1\" alt=\"Password requirement comic from XKCD.\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d! (Full story is behind the Wall Street Journal&#8217;s pay wall.) You&#8217;ve used P@ssw0rds like this for years. It&#8217;s what NIST recommended for the Federal Government in 2003 and major corporations and universities picked up the guidance and set their password requirements to [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"New Post - NIST updating password recommendations","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[286],"tags":[1199,32,693],"class_list":["post-4862","post","type-post","status-publish","format-standard","hentry","category-shared","tag-nist","tag-password","tag-xkcd"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/posts\/4862","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/comments?post=4862"}],"version-history":[{"count":3,"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/posts\/4862\/revisions"}],"predecessor-version":[{"id":4896,"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/posts\/4862\/revisions\/4896"}],"wp:attachment":[{"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/media?parent=4862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/categories?post=4862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/peroty.com\/blog\/wp-json\/wp\/v2\/tags?post=4862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}