Passwords Could Be Getting Easier To Remember
Despite advances in technology, the humble password is still the mainstay of IT account protection. Almost fifteen years ago the National Institute of Standards and Technology, or NIST, set down a number of password recommendations. Most readers will know the drill: a blend of upper and lower case characters, symbols and numbers. However, one of the managers responsible for this document, Bill Burr, has told the Wall Street Journal that he regrets many of his previous recommendations. His change of mind has nothing to do with biometric security sensors that are now inexpensive and reliable enough to be put onto less expensive smartphones. Instead, this is associated with observing human behaviour. Burr reports that some of the recommendations implemented from the original 2003 document have actually reduced account security over the years. Oopsie.
Not only does the 2003 document recommend passwords be of a certain level of sophistication, but it also recommends that they are regularly changed. Unfortunately, this technique tends to backfire. As our passwords need to be complicated, we as humans have tended to pick a password and over time, only make incremental changes. Instead of helping password security, forcing users to change their password every 30, 60 or 90 days actually harms it! The NIST’s draft new guidelines recommend IT passwords are only changed after a security breach, something that is bound to bring joy to forgetful users and harassed System Admins all over the world!
Another part of the NIST’s revised security recommendations is that the complex password strategy is revised. Instead of mixing and matching different types of characters, users are being encouraged to use a long phrase or expression. However, these phrases need to be screened against both commonly used password phrases and against those that are considered compromised. After all, it’s these phrases that we’d expect hackers to try first.