Interesting article in the New York Times about why all those crazy password rules have been in place over the years. All those password rules originated from a document called NIST Special Publication 800-63. Back in my security software days, I just to subscribe to every release of the 800 series of documents from the NIST. A lot of business turned on those documents.
Turns out, there wasn’t much basis to those rules. The author did the best he could with the limited data he had available to him and no one objected because, well no one else had studied the subject much either.
There’s probably going to be a lot “I could have told you that a long time ago” from security expert wannabes. And it’s true to some extent. The catch-22 of password rules is that they only prevent a very narrow set of attacks, namely dictionary attacks. But the more rules you have in place, the easier it is for black hats to factor in those rules when they are attacking your password database.
But the fact of the matter is, we create very important policies and procedures, and “conventional wisdom” on less than perfect information every day.
The science is never quite settled.
So what are the new rules now?
According to the article,
The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security—they ‘actually had a negative impact on usability,’ he said.
Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.
Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.
I’m glad to say the rules I use and advise people to use still hold up under the new standard
- Pick a base password of at least 14 characters. Can be easy to remember words, but preferably not a phrase that is a well known quote or likely to appear in a book. A nonsense phrase you can easily remember.
for example: whiskey beer wine coke
- Pick a rule that transforms the name of the place you are logging into.
For example: first three characters of the domain name of the site you are logging into
- Pick a rule that transforms the user ID you are logging in with.
For example: second and fourth character of your ID.
So if I am logging into my Facebook account with my firstname.lastname@example.org ID, my password would be
The advantage of this scheme is
- The password is suitably long to thwart brute force attacks
- It’s different for every site and account you use
- You can remember it without writing it down