Young woman who's forgot her passwordAt last!!!  A good reason not to create dozens of hard-to-remember passwords!  The updated National Institute for Standards and Technology guidance on creating passwords has been out for a while now, but the word has been slow in trickling down to end users.  It’s time to pay attention, because the recommendations represent a huge departure from standard practice.  First, the good news:

The good

NIST is part of the US Department of Commerce and an authoritative standards-making body.  It is the entity that wrote the primer on how to create all those complex and hard-to-remember passwords in the first place. You know, passwords like *Pa$$w)rd3!  NIST now acknowledges through this publication that the old rules affected usability negatively. It also turns out that passwords composed of a few common words strung together are far stronger than upper-lower-numbers-characters passwords, so the old way was less secure than we thought.

It’s big news then that NIST has seen the error of its ways and now recommends creating passwords we can remember.  Even more important, it also now recommends that a password not be changed unless there is an indicator it has been compromised or forgotten by the user.  Of course, being the government, calling a password a password is just too hard.  The term in NIST SP800-63B 2017 is “Memorized Secret Authenticator.”  Whatever you choose to call it, user guidance is simple:

  • Passwords should be at least 8 characters in length
  • Passwords may be as long as 64 characters in length
  • All printable ASCII characters and UNICODE characters may be used, including spaces (and emoji’s)

The not-so-good news

The sticking point is that most of the guidance is for the “verifiers,” in other words, the sites and companies that require your password to access to their services.  Consequently, it will take quite a while before these recommendations are implemented in their log-in scripts and web interfaces. Until they are, you’ll need to follow each site’s current rules regarding format and frequency of change. The new guidance for verifiers suggests they:

  • Should require passwords to be between 8 and 64 characters
  • Should not impose composition rules like mixing upper and lower case, special characters, and so on
  • Should offer password-strength meters
  • Should restrict the number of failed attempts at entering a password
  • Should not require passwords to be changed arbitrarily or periodically
  • Should allow for copy and paste functionality to support use of password manager programs

There are also other, more technical suggestions regarding how verifiers store and protect your passwords.

What can I do right now?

For sites that do not restrict password format, consider developing a handful of memorable, lengthy passwords.  For example, the expanded title of this post reads, “did you know that they have changed the guidance on how to create passwords?”  — initial letters of words in a complete sentence.  Another technique is to string together 3-5 typically unrelated words to create a single, complex word, such as “happytablegreenbook.”

Most private companies follow the now-outdated NIST password management guidance.  Talk with your internal IT people to let them know about the new approach and find out if it’s feasible to change.  Change could even make their lives easier, since they will likely have fewer password re-sets (for those of us who can’t remember what we changed our password to 30 days ago), and may be able to streamline log-ins.

For my part, igtcmptssecig,stm*   😉

* “I’m going to change my password to something simpler every chance I get, starting this month”