Since 2003 we’ve all been hostage to a burdensome set of rules for passwords. I’m sure most of us have tried to follow the rules. They were designed by the National Institute of Standards and Technology (NIST), a federal agency, established as the National Bureau of Standards in 1901, and obviously meant to keep us safe and cybersecure.

The problem was, if the rules were followed, a “good” password couldn’t be easily recalled, or even created. So, if not ignored, the rules were gamed. (Uppercase, lowercase, 2 numbers and a symbol? Sure: Password11!) It is now understood that those types of variants really don’t build safer passwords. Certainly not in balance with the trouble they cause. Regularly changing passwords doesn’t make us safer, either.

What actually improves cybersecurity are passwords we can easily compose and remember.

NIST has issued new guidelines that acknowledge the failings of the old way, and lay out the path for a better way. Though technically still in draft form, they’ve been available for some time and are unlikely to go through any further substantive changes. You can see the official publication here: https://pages.nist.gov/800-63-3/sp800-63b.html , but it’s a little like Ikea instructions for growing tomatoes.

A better choice for WSJ subscribers: https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118  The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!

Or, the TailWinds interpretation:

It will take some time for everyone to get on board, so you’ll still have to follow the rules set up by any website or entity for which you need an account. These are guidelines, and those in charge will adopt them at their own speed. But the new NIST rules were specifically written for systems engineers and those in charge of creating the authentication rules for their sites or apps (called “verifiers” in IT-speak because they verify your identification), and they are encouraged to make the experience easy for the user. Let’s hope that includes quick implementation.

Here are the changes:

  1. You still need a MINIMUM of eight characters, but NIST has asked that the maximum length be at least 64 characters. And all characters should be accepted, including spaces- and even emoji!

You can see how this should encourage the use of “passphrases”, which will be much easier to use. (“There are two fig trees in my back yard. One is named Edgar” vs “$S0m3w0^D”) You should also be able to use any punctuation and any language.

  1. As hinted above, in the future there will be no composition rules. None of “Your password must contain the name of your favorite cow, initial character cannot be upper-case, last character cannot be lower case, three numbers, etc.”. But, you won’t get away with look-alikes, either (pAsSw*rd, for instance, won’t work.)

 

  1. Hints are out, too! I haven’t seen them in a while, but some sites still let you store hints (“my dog’s name”)

 

  1. You know the list of questions you have to choose from to set up a scheme to reset your password? What was the name of your first-grade teacher? What city were you born in? What is your father’s middle name? That’s out, too.

 

  1. Our absolute favorite: No changing passwords every month or few months. Passwords (or phrases) will change only if they are breached in some way, or if they are forgotten by the user.

 

  1. There will be restrictions against using “dumb” passwords; bad choices such as “password” or your own name or user name. Professionals use dictionaries of these, so if you try it, don’t be surprised when your submission is rejected.

If you have any questions about this, please call us (205) 332-1600 or email info@twtech.com