By now, most of us are familiar with standard suggestions for strong passwords, which include using a combination of letters, numbers and special characters. We’ve also become used to systems asking us to update these passwords at regular intervals — say, every 90 days. Much of this advice stemmed from “NIST Special Publication 800-63, Appendix A,” and the author of that document, Bill Burr, recently offered up some updated commentary:
He got it wrong.
That string of letters, numbers and special characters can be aggravating and difficult to remember, and Burr says that’s one of the big problems with his 14-year-old password guidance. When users are tasked with recalling multiple, complex passwords, they end up using the same one over and over, despite warnings against this behavior.
And when asked to change their passwords, many users end up making only small changes, such as altering a single character (like replacing a 1 with a 2). The problem? Hackers are aware of these behaviors and exploit them regularly.
So, what’s a better option?
The New Rule for Strong Passwords
Paul Grassi — a Standards and Technology adviser at the National Institute of Standards and Technology — has offered new guidance to people wondering how they should construct their passwords.
Instead of using complicated character patterns, the new rules suggest to use long passwords involving multiple words. Their length can make them more difficult to hack, yet stringing together familiar words — BananaOrbitAppleTilapia — can make it much easier for users to recall. That means less of a need to write them down (making them easier to steal) or using the same ones on multiple sites (allowing a successful hacker to access multiple accounts).
Businesses and other organizations that have password policy standards based on outdated guidance should move quickly to bring their policies up to date. That could mean using the newly suggested password construction methodology, or adopting the use of a password manager. Proper training on the new password rules should be offered as part of a privacy training curriculum, and identity management systems should be reconfigured.