Most people have been taught to change passwords often, at least every 90 days, and to use phrasess like: L0tz0fB34RZ! (roughly “Lots of Bears!”). These “best practices” are so widely accepted that one can go to almost any company anywhere and find them being used.
But, as it turns out, these password rules do more harm than good. And the man behind them feels sort of bad about it.
Bill Burr, the security specialist who wrote an influential guide on authentication security for the National Institute of Standards and Technology (NIST) in 2003 that spurred these practices, has been walking back some of his advice.
“Much of what I did I now regret,” Burr told the Wall Street Journal recently.
He clarified: his advice about changing login info every 90 days has led to diminishing quality in the strings users struggle to come up with every three months. If the phrases get too complex after frequent changes, users dumb them down. Or they just make small, superficial changes, such as turning “Super1!” into “Super2!”, which does not improve security.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” he said.
It’s also been shown recently that computers have a harder time cracking a string that consists of a long phrase than one that’s just a word with numbers and symbols thrown in. These password best practices were, in fact, not best practices.
So the NIST updated its recommendations. It recommends that IT not require users to change their passwords as frequently, and that they consist of long phrases like “DuckRedHowledDittoBanana” or something similar—whatever random grouping of words a user can easily remember. The NIST also recommends enterprises use login managers, which allow users and admins alike to easily store all their login info and input them automatically. Some will even auto-generate random strings for users.
While these managers are certainly handy, they have their own vulnerabilities. Many, such as the popular LastPass, are only as secure as a master authenticator a user or admin must enter to use the service, access stored information, make changes and so on. If that master authenticator is leaked or cracked, it’s game over. And relying on single strings to access sensitive data is troubling. No matter how long a string is, it’s still just a single bit of characters that can be cracked or leaked.
The NIST does make one critical recommendation that we feel is being underreported: the importance of multi-factor authentication. Using multi-factor authentication (requiring a typical passphrase and then another, temporary passphrase generated at the time something is shared) is especially important for handling sensitive files and documents. If a user’s login info has been compromised, data is still protected by that temporary one.
One last tip the NIST offers that flies in the face of conventional knowledge: Don’t physically write your passphrases down. We’ve heard a lot of people recommend keeping an on-paper record of all their login info. But these copies are easily stolen and distributed. The only safe place for this information is in the user’s memory.
What do you think? Let us know at email@example.com.