Since approximately 2003, risk management and security professionals have told people to use “strong” passwords. The use of one word in all lowercase letters like “password” was universally panned as a weak password. Instead, people were instructed to use a combination of capital letters, lowercase letters, numbers, and symbols, like “PasSword23%#.” In addition to the complicated mix of letters, numbers, and symbols, it was recommended to change passwords often and to use different passwords for each application and website.
The basis for the “strong” password guidance originally came from the National Institute of Standards and Technology (NIST), a non-regulatory federal agency within the U.S. Department of Commerce. NIST technically provides guidance documents and recommendations only for federal agencies. However, NIST password regulations and suggestions are well researched and well trusted. As such, NIST recommendations have often become the foundation for best practice recommendations for security professionals when forming password policies for companies in the private sector.
Ironically, however, as companies and users have required more and more complicated rules for creating passwords, the number of data breaches has continued to increase. The problem with complex passwords is not that the mix of letters, numbers, and symbols inherently creates weak passwords; it is that most people typically use the same techniques and predictable formulas to create the passwords.
This can be especially true when organizations require users to change their passwords every 90 days. Users typically just change a character or two rather than create a completely new password. In addition, users often just capitalize the first letter of a password and add a number or symbol at the end. Hackers have been able to easily predict these patterns and have created algorithms that target those weaknesses.
In 2011, American cartoonist, author, engineer, scientific theorist, and the creator of the web comic “xkcd” Randall Munroe pointed out in one of his comics that the password “Tr0b4dor&3” could be hacked in approximately three days due to its predictable capitalization, common numeric substitutions, and use of special characters. Munroe noted that a password using four random common words such as “correct horse battery staple” written as a single phrase would take 550 years to decode. Munroe added that “we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” (See figure one for the complete comic)
Another issue with the use of complex passwords is that users have trouble remembering them. In order to make it easier, users prefer to use the same password over and over again. Recent research by Experian found that 25 percent of those who are 55 years and older had over 11 unique password logins. That is good—except that these users often have trouble remembering all of them. As a result, 55 percent of these older users admitted to using the same password for multiple online accounts. In contrast, Experian found that millennials who favor convenience over security rarely have more than five unique passwords and are, ironically, far more vulnerable to being hacked than older users.
NIST took notice of these problems and recently revised its password guidelines. Rather than continuing down the path of creating more and more complicated passwords that are even more difficult to remember, NIST now recommends far simpler passwords, eliminating its past recommendation of a mix of lowercase letters, capital letters, numbers, and symbols. The new emphasis is on longer passwords that can all be lowercase letters, if the user prefers.
In order to make up for the simplicity, NIST recommended using long and memorable nonsensical phrases that only the user might know. All passwords should be at least eight characters and up to 64 characters long. The theory is that the longer the password, the better.
NIST also has changed the requirement to have passwords expire, which means fewer new passwords to memorize. Since typos are common when entering in passwords (especially long passwords), NIST recommends that users click the option to show the password while typing it, which it says should help eliminate a small mistake that might lead users to shorten their passwords.
The long phrases cannot be commonly known nursery rhymes or some other known quote or phrase that a computer could easily search for. The phrase needs to be nonsensical, such as the warm-up lines Ron Burgundy uses in the movie Anchorman: “The human torch was denied a bank loan,” or “the arsonist has oddly shaped feet.” Obviously, users should not use a direct quote from a movie, but instead think of their own memorable nonsensical phrases along those lines. Four random words like Munroe demonstrates would also work.
As of Oct. 25, 2017, the Identity Theft Resource Center (ITRC) reported more than 1,120 confirmed data breaches and more than 171 million records exposed in 2017. The ITRC only reported 1,039 data breaches and fewer than 37 million records exposed in all of 2016. So, clearly, what was being done previously to protect our accounts isn’t working. Time will tell if the new password guidelines will help stem the tide of data breaches, but at least until then, users can hopefully stop pulling their hair out trying to remember the complicated mix of lowercase and capital letters, numbers, and symbols.