Widely Used Password Advice Turns Out to Be Wrong, NIST Says

New recommendations from the National Institute of Standards and Technology call for people to create passwords that are "long, easy-to-remember phrases" -- a series of four or five words mashed together.

by Douglas Perry, The Oregonian, Portland, Ore. / August 10, 2017
Shutterstock

(TNS) -- Passwords have become the bane of modern life. All of us struggle to remember dozens of them, and our employers often force us to change them regularly.

Now, thanks to a report in the Wall Street Journal, we know who's responsible for our password frustrations. And we have learned -- to our horror -- that it's all so unnecessary.

In 2003, when Bill Burr was a manager at the National Institute of Standards and Technology, he wrote guidelines for creating safe online passwords. The paper, memorably titled "NIST Special Publications 800-63," became the benchmark, its diktats followed by government agencies, corporations, universities and individuals.

Burr recommended creating passwords that were essentially weird nonsense words, chock-full of special characters and occasional capital letters and numbers. He also said people should change their passwords regularly.

But he was wrong, and he admits it. "Much of what I did I now regret," he says.

It wasn't really his fault. At the time, he was mostly flying blind. He had to rely on common sense as much as technical expertise. Now, 15 years later and after major hacks of corporations such as LinkedIn and Twitter, computer analysts have the data to determine which kinds of passwords work and which don't. And so the National Institute of Standards and Technology has radically reworked its guidelines.

The Wall Street Journal article on the subject is well worth reading, but in case you don't have a subscription, here are a few basic takeaways that could make your life a little easier -- if you can get your company's IT department to adopt them:

  • There's no reason for passwords to expire. Your password doesn't become more hackable because it's been in use for more than 180 days. People should only be prompted to change their password if there's a reason to believe it's been stolen or their account has been compromised.
  • You don't need to have special characters or numbers in your passwords. Using them doesn't make it harder for hackers.
  • New recommendations from the National Institute of Standards and Technology call for people to create passwords that are "long, easy-to-remember phrases" -- a series of four or five words mashed together. This can be "harder for hackers to crack than a shorter hodgepodge of strange characters." (The Journal article points out that the password "correcthorsebatterystaple" is much more difficult for a hacker to crack than "Tr0ub4dor&3.")

So there you go. Pick a few phrases and redo your passwords. Now you'll finally be able to throw away that Post-it note that reminds you what your new password is.

©2017 The Oregonian (Portland, Ore.) Distributed by Tribune Content Agency, LLC.