Difficult-to-Hack Passwords are Now Easier to Use
For years we've been told that in order to create strong passwords, we had to jump through all kinds of hoops. We had to use a complex combination of letters, numbers, and special characters; mix uppercase and lowercase letters; avoid words found in the dictionary; and so on. Those guidelines were intended to help users create passwords that would be hard for hackers to guess. Unfortunately, they also made passwords hard for users to remember.
The roots of the rules can be traced back to a document published in 2003 by the National Institute of Standards and Technology (NIST), a government body that promotes innovation and industrial competitiveness. Their Digital Identity Guidelines were responsible for most of the password rules implemented in the last 15 years.
But as of June 2017, that's all out the window. NIST has released updated Digital Identity Guidelines, and they are dramatically different and much easier to follow. This is great news for anyone who has had to hit the "reset password" link too many times to count.
Why the Old Rules Didn't Always Work
It isn't that the old password guidelines didn't make for strong passwords. On the contrary — if you followed all the rules that NIST laid out, your password would be virtually un-hackable. What the authors didn't foresee was how quickly users would cheat to get around them. Take a weak password example like "welcome." Since the password checker says to use numbers and special symbols, a user might change it to something like "welcome!123." Those are trivial changes that meet the complexity criteria and still make the password easily remembered, yet they also render the password very easy to hack.
Because most people used the same tactics to get around password creation rules, before long hackers were writing programs to factor in the common substitutions that users made in their passwords. Cyber security was getting breached more easily and more frequently than ever.
In fact, an analysis of 32 million breached passwords showed that the top 10 most commonly used passwords were strings of consecutive numbers (12345678), numbers and letters (abc123), and common phrases ("iloveyou").1 Their shortness and simplicity may have made them easy to remember, but they were also very easy to crack.
A Quick Guide to What's Changed in Password Guidelines
The biggest change in the recommended password rules is the focus on the user experience. NIST's guidelines have gone from being algorithm centric to being user centric.
- The requirement for complex combinations of characters and symbols. Why? Because people were making minor changes to obvious passwords so they could meet minimum requirements.
- Password "hints" and secret questions. Why? The answers were often easy to guess and weakened the authentication.
- Routine password changes every three months. Why? Same as above — users were making only slight changes to existing passwords, so they wouldn't have to memorize a new one.
- Eight-character minimum length, up to maximum 64 characters. Why? The longer the password, the more secure it is.
- Checks to disallow common passwords or passwords that are known to have been breached. Why? Pre-empting users from choosing passwords that have already been hacked or stolen decreases their chances of being compromised.
- Support for all printing characters and spaces. Why? Users who choose memorable phrases may want to use certain characters and punctuation marks.
Length is Key to Password Strength
The biggest difference between a weak password and a strong one is length. The longer a password is, the harder it is to crack. Creating long passwords was more challenging before because of all the constraints on password composition.
Under the new guidelines, users can link many words together — and even use spaces — to create a memorable phrase as a password. Something like "mydoglikesjamandmustard" could be quirky enough to remember, but at 23 characters long, it's much harder for a hacker to figure out.
Another good idea is to take the first letter of each word in a memorable sentence and combine those letters to create a password. You can make up your own sentence, use your favorite song title, or take the first sentence from your favorite book. The important thing is to choose something memorable for you, but not obvious to someone else.
The new rules may seem deceptively simple, but they have one main goal: getting people to use longer passwords. By making it easier for you to create a password you'll remember, the new guidelines are creating an incentive to choose a password that will provide stronger protection in the long run.