In a continuation to the post from last week, it looks like it’s not only the FTC’s Chief Technologist that is waging war against the periodic renewal of passwords. The National Institute of Science and Technology (NIST) is apparently onboard as well, and they will also be recommending that something be done about password complexity (washingtonpost.com):
One sign of change came this year from the federal agency overseeing government computer policy. The National Institute for Standards and Technology issued draft recommendations that called for a password overhaul — encouraging longer passwords and ending the practice of forcing new ones every 60 or 90 days.
“Passphrases are much harder to crack and break, and much easier to remember,” said Paul Grassi, a NIST senior adviser.
It was an acknowledgment that current password practices are a pain.
A pain and then some.
Long is Good
Studies are showing that when it comes to ensuring security, longer passwords are just as good as shorter but more complex passwords. For example, the all-letter password below would be as good as the no-letter password:
It doesn’t take a brain surgeon to see that there is something compelling, security-wise, about the password on top. And yet, despite being comparable, or even better, than the second example in terms of security, it’s infinitely easier to recall.
Caveats (Like Always)
The only problem I can see (my emphasis):
A series of studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness. To a computer, poetry or simple sentences can be just as hard to crack.
The problem with the above statement is that computer’s don’t really “crack” anything; it’s the people behind the computers that matter. And those people are wise to the fact that brute-force methods for guessing passwords is an exercise in frustration.
Indeed, hackers try to find ways not to use brute-force when attempting to find the correct password, ranging from social engineering to trolling Facebook for answers to security questions; planting malware; creating algorithms based on pre-existing passwords exposed in a data breach; and more.
Poetry and simple sentences, then, would barely pose a problem for hackers who’d essentially run a script and wait for the computer to do its thing. For example, one of the perennial top ten passwords is “iloveyou” which is, technically, a passphrase and a simple sentence. It also makes frequently appearances in poetry (generally bad ones).
What you want to do as a computer user interested in security is to create nonsensical passphrases: easy-to-remember sentences that are altered a bit so they’re not easy targets for guessing, and yet not so surreal that you’d forget it or confuse it with something else.
(Thankfully, the Washington Post article clarifies this within the same article).
Follow the Leader
Despite being a commonsense approach to better, more secure passwords – and now backed by academic research – changing password policies is slow going. There are technical reasons, of course. Sometimes, getting rid of the policies may mean rewriting code. For others, legacy systems may not be able to handle passwords longer than, say, 16 characters.
But, apparently, there is also the need to cover one’s butt:
One of the things we’ve seen when we talk to companies is they say, ‘Well, this is all good,’ but I can’t change things until I have something I can point to.
This is understandable. It’s not necessarily about not having the courage or the brains to do it. In certain cases, it’s a legal or regulatory issue. For example, HIPAA covered entities and business associates are supposed to protect patient data. They know that the US Department of Health and Human Services (HHS) essentially makes the use of encryption mandatory.
However, due to the nature of the HHS, the buck doesn’t stop there when it comes to data security. Instead, HHS points to NIST guidelines as the yardstick to see how well a HIPAA covered entity is doing to secure “protected health information” (that is, sensitive patient data).
So, if NIST does not update their position on passwords, then there’s very little the head of IT can do even if she knows better. (Well, technically, this is not true. NIST probably would concede that something is a better approach if it’s technically true. The problem is dealing with, say, a particularly obtuse District Attorney who decides that he’ll stick to what’s on the books and make life difficult for someone).