It’s somewhat heartening to me to find that the security advice I’ve been giving for the last decade has been pretty good. What I’ve advised for selecting passwords has been:
- Using upper and lowercase and punctuation is only good because it makes systematic trying of passwords harder by increasing the number of options.
- There is no empirical evidence that aging passwords for 90 days is more secure than for 120 days or 180 days or even annually.
- A long password you can remember is better than a short one, especially a short one that you forget.
That’s what the chap who literally wrote the book on passwords has decided, too, as this Wall Street Journal article reports:
Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.†The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly.
The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.
The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.
Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.
“Much of what I did I now regret,†said Mr. Burr, 72 years old, who is now retired.
In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments. Paul Grassi, an NIST standards-and-technology adviser who led the two-year-long do-over, said the group thought at the outset the document would require only a light edit.
“We ended up starting from scratch,†Mr. Grassi said.
The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security—they “actually had a negative impact on usability,†he said.
Key problems are that there may be no empirical information and the experts frequently aren’t really experts or at least not experts in the field on which they’re giving advice. Being a mainframe software developer does not make you an authority on security or human behavior.
heresanarticlethatarguesunbreakablepasswordsareveryeasytoconstruct
Similar to Sam’s comment, I offer xkcd:
xkcd: Password Strength
I use a password manager, and with a few exceptions, every username & password is different. I use 20 characters that include the usual upper & lowercase, number, and special characters, and I try to make them 120-bit or higher.
If a site (or you) does not know it has been compromised, changing passwords is useful. Otherwise, it is pointless. I would use variable length passwords if 64 characters were allowed.
I also have several Gmail accounts to limit the problem of one of them being compromised.
I recommend using some type of password manager – a dedicated application, a text document, a spreadsheet, or a piece of paper. I will not use an online password manager. I do not allow Google Chrome to save my passwords online, but I do allow it to store less passwords for non-important sites.
The easiest way to get passwords is through a data breach of a database storing user’s password, username, and email address. Then, you just run the email or username with the password, and the super-duper password you use everywhere is worthless.
It is possible that somebody is going to hack into your computer, sift through your files to find sensitive data, and try to break the encryption you used, but I doubt it. As to online sites, most will lock the account after a fixed number of tries.
FYI: I would suggest that you assume any public wifi system is compromised. I realize that the super-duper encryption is unbreakable. At least until it is compromised.
I so hope this is true. Among the things that make me want to consider retiring, passwords are in the top ten on my list.
Steve
I use a password manger as well which my wife and I share. Right now, we have over 300 entries.