Everybody knows the routine, you have to change your password (because your IT or technology department is making you). So, you go through the process of coming up with some way of fitting your company’s password policy. I will make a guess of what it is . . . a minimum of seven characters, at least one numeral or special character, and you have to change it anywhere from every 30 days to six months. “This is what was needed to ensure good security,” we were all told. Unfortunately, we all knew it was not true. These rules came from the National Institute of Standards and Technology (NIST), and for 2017, they have received a badly needed upgrade.
What you need to know
The best password is still a long (16 plus characters), randomly generated, complex (alphanumeric and special characters), and unique password which is easily accomplished with a password manager (see previous post on password managers). Those passwords are incredibly hard to brute force but very hard for humans to remember.
The NIST guidelines have removed the complexity song and dance from their guidelines, which creates a false sense of security and makes it harder for users to create a password. For most users, the complexity requirement is met by adding a “1” or a “!” at the end or being super crafty and replacing and “e” with a “3” or an “S” with a “$,” something that every cracking application knows.
The guidelines have also removed the requirement for frequently changing passwords. Humans are creatures of habit and forcing them to change their password results in predictable new passwords (for example from “12345” to “54321”). This also results in users writing down their passwords on a Post it® note and placing it on their monitors.
Finally, the password length has been raised to a minimum of eight characters and allows for passwords up to 64 characters. I feel eight characters is not enough, but may have been needed for some legacy government systems. It is a fact that longer passwords are better and in today’s highly optimized hardware password crackers, eight characters is just not enough.
The NIST guidelines help with allowing users to make better passwords, but users will always complain that coming up with memorable, 16 or more character passwords is impossible. Here is an easily remembered technique for creating stronger passwords.
Now, if you could only get users to not reuse that password on every site . . . sigh.
Tech Talk Live is the only conference of its kind in the region specifically designed for IT pros in education.
1020 New Holland Avenue, Lancaster, PA 17601