IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Widely Used Password Advice Turns Out to Be Wrong, NIST Says

New recommendations from the National Institute of Standards and Technology call for people to create passwords that are "long, easy-to-remember phrases" -- a series of four or five words mashed together.

(TNS) -- Passwords have become the bane of modern life. All of us struggle to remember dozens of them, and our employers often force us to change them regularly.

Now, thanks to a report in the Wall Street Journal, we know who's responsible for our password frustrations. And we have learned -- to our horror -- that it's all so unnecessary.

In 2003, when Bill Burr was a manager at the National Institute of Standards and Technology, he wrote guidelines for creating safe online passwords. The paper, memorably titled "NIST Special Publications 800-63," became the benchmark, its diktats followed by government agencies, corporations, universities and individuals.

Burr recommended creating passwords that were essentially weird nonsense words, chock-full of special characters and occasional capital letters and numbers. He also said people should change their passwords regularly.

But he was wrong, and he admits it. "Much of what I did I now regret," he says.

It wasn't really his fault. At the time, he was mostly flying blind. He had to rely on common sense as much as technical expertise. Now, 15 years later and after major hacks of corporations such as LinkedIn and Twitter, computer analysts have the data to determine which kinds of passwords work and which don't. And so the National Institute of Standards and Technology has radically reworked its guidelines.

The Wall Street Journal article on the subject is well worth reading, but in case you don't have a subscription, here are a few basic takeaways that could make your life a little easier -- if you can get your company's IT department to adopt them:

  • There's no reason for passwords to expire. Your password doesn't become more hackable because it's been in use for more than 180 days. People should only be prompted to change their password if there's a reason to believe it's been stolen or their account has been compromised.
  • You don't need to have special characters or numbers in your passwords. Using them doesn't make it harder for hackers.
  • New recommendations from the National Institute of Standards and Technology call for people to create passwords that are "long, easy-to-remember phrases" -- a series of four or five words mashed together. This can be "harder for hackers to crack than a shorter hodgepodge of strange characters." (The Journal article points out that the password "correcthorsebatterystaple" is much more difficult for a hacker to crack than "Tr0ub4dor&3.")
So there you go. Pick a few phrases and redo your passwords. Now you'll finally be able to throw away that Post-it note that reminds you what your new password is.

©2017 The Oregonian (Portland, Ore.) Distributed by Tribune Content Agency, LLC.

Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.