We’ve Been Creating our Passwords All Wrong – Here’s Why
EXTRA! EXTRA! Stop the presses! This just in – complex passwords are OUT!! PTL! RIP: Password complexity! Throw out your unmemorable passwords! No more mangling your child’s name with abnormal characters! Freedom from the urge to write your password on a sticky note!
So, we’ve been going about this password thing all wrong. And I knew it. Ever since I saw this cartoon, I knew it was right, but for all of my years of training, from Cisco, from Microsoft, from the computer community, from the security community– I couldn’t believe the simplicity of it. And NO ONE else was admitting to it. It is really hard to swim upstream – but here it is!
It’s official: you don’t need to have complex, hard-to-memorize passwords!
YES! You can have a very simple, ALL LOWERCASE password made up of simple words that make a long phrase. “Phonecheesecakepurpletiger” is way more difficult one to be hacked than “Alic3w0ndErs!” And guess which one can you memorize easier? That’s right, the one with simple words in it.
Well, the Wall Street Journal just reported that the creator of the NIST standard, that was the cornerstone of the mis-guided password rules, led us astray. After all these years, all the lost time for companies and support personnel to reset forgotten passwords; no one being able to remember their password; and all the time wasted over the hassle of having them changed too often —it’s finally all out the door!
The NIST has made some huge changes in their guidelines. One particularly pleasing piece of news is it is no longer recommended to have periodic password resets! Before, it was standard to change your password every 90 days or so to make it difficult for hackers, but all this has done is made it difficult for ourselves. Changing an ‘S” to a “$” in your already complex password just made it more challenging for you to remember, and small changes like that are what hackers are expecting so it doesn’t make cracking the password any more difficult for them. If they could figure out the previous password the new one will be no different. What DOES make cracking passwords more difficult is length. A string of four random words is more difficult to hack then a shorter word mixed with symbols and numbers, which is why the minimum password length has been moved to 8 and the maximum as high as 64 characters. Complexity is out, length is in!
Some other changes in NISTs guidelines include enabling the “show password while typing” feature, not using password hints or knowledge-based authentication, and running your password against a “blacklist” of commonly used passwords to ensure it is complex.
Not everything has changed, here are some tried and true rules you still want to follow:
- You still need to have completely different passwords for different levels of access – your logon for your computer should be the highest level, along with banking and high-profile access you might have, if you have patient or client records that you deal with on a regular basis. (In fact, on a different topic, two-factor authentication is still strongly advised for those scenarios). These passwords still need to be different from each other, but you won’t have to change them as often.
- No, you still can’t use your kids’ or pets’ names.
- You shouldn’t need it now – but all of you who wrote their passwords on a sticky under your computer keyboard – you can part ways with it now!! Freedom from the sticky note!
- You can still roll up your passwords into password-saving software – but the one protecting THAT is now your strongest password needed.
If you aren’t sure how well your current passwords stack up against these new standards, this website will let you know how you’re doing. After you input your password, this site runs an algorithm to tell you how long it would take a computer to randomly guess your password. If the results from that website are alarming, you can use this random word generator to help you create a new, better password!
Now, be warned, this doesn’t mean that every system out there is going to let you off the hook. Heck, some websites don’t even allow a 10-character password. We must have patience, it is going to take a lot of time for this truth to change systems. But there’s a N3w H0pe….
If you still have any concerns or questions regarding your password, we encourage you to contact us on our website or call our number 518-320-8906. Cybersecurity is one of our specialties, and we are here to help make your information secure and safe.