A “secure password”— many data security experts would argue that it’s an oxymoron.
For the longest time, passwords have been considered an extremely weak and easy to crack form of authentication, even if you don’t take into account the fact that the most popular password in the world is still ‘123456’.
Over the last couple of decades, customers have been forced to set increasingly complex passwords. To log in to an Adobe account, your password must:
1) Be 8 characters long
2) Include at least one alphanumeric character
3) Include at least one symbol
4) Include a mix of upper and lower case characters
Which is just ridiculous. And probably not very helpful— we’re willing to bet that P@ssword123 is probably somewhere at the top of their most used passwords list.
But the biggest problem with passwords like that? They are easy to forget, as perfectly described in this XKCD comic strip:
The good news is, the days of our days of struggling with passwords may soon be over, thanks to a new set of guidelines being published by the United States National Institute for Standards and Technology (NIST).
NIST has put together a list of best practices for password protection, and the policies will soon be used by the US government.
Here are some of the more interesting changes they are putting into effect:
8 character minimum, 64 character max
A longer password is a safer password. Pretty straightforward.
The average user probably won’t want to use a password that’s almost half the maximum length of a tweet, but the key thing to bear in mind is that, if they want to, they can.
Ban all the common passwords
NIST wants to create a dictionary of the most common passwords used, and disallow users from picking anything from that list. They are currently planning on creating a dictionary of about 100,000 entries.
One problem they are aware of, though, is that users may try and cheat the dictionary system. For example, if iloveyou is a common password that’s banned, a user may just try and use iloveyou1 to circumvent that.
🙂 (-_-) ^____^
Currently, the character set that users can choose to create their passwords from contains about 90 characters. NIST would like to change that to include all printable ASCII characters, and possibly even include emojis.
Hints & Knowledge-based authentication (KBA)
So you’ve picked the most difficult password in the world, and then forgot it. That’s not a problem, as long as you know your mother’s maiden name, or the answer to whatever question you set when you registered your account. It also won’t be a problem for anyone else who might happen to know the answer, or who could make a lucky guess.
Brian Krebs reported recently that United Airlines employs this form of authentication, to horrible effect. It’s a great article if you want to learn more about why KBA doesn’t work, or hear more about how mashed potatoes are apparently a pizza topping.
Conclusion: It’s All About The Users
Every change being employed is in line with a set of very simple guiding principles, that are all about making passwords user friendly. Forcing users to use arbitrary safeguards only invites them to try and cheat the system. Instead NIST is aiming to put burdens on the verifier rather than the user wherever possible.
Passwords are not the most secure safeguard, not by a longshot. But until we can come up with a better solution, it’s all we’ve got, and it’s imperative we learn to make it work.