Wednesday, August 16, 2017

The deal about passwords

In August 2017, the National Institute of Standards and Technology (NIST) issued new recommendations on passwords that received significant play in the popular press.

The core of the reportage focused on two points:
• Scheduled change of a password should not be enforced.
• Passwords do not need to be complex if they are long.

That means you can use a password like “Now is the time for all good folk to come to the aid of their party.” instead of “Kk*Uw#eAsk ”. And you don’t have to change it ever.

But removing strict requirements does not mean you have to stop using them. The good practices you’ve already been following are still good.

Is a memorable phrase still memorable when you have a dozen of them for a dozen different sites? And is it really easier to enter 60 letters and spaces perfectly with your thumbs four or five times a day than 8-12 random characters?


We must remember that NIST writes standards for government agencies. If organizations outside the government find their standards useful (such as the amount of coffee in a pound), they are free to adopt them. But NIST password recommendations apply primarily to large organizations whose users log into a small number of services with unique identities.

In reality, most consumers of this news need passwords primarily in the course of business, research, commerce, or social networking on the internet. In a family there may be some sites (such as mail accounts) where every member has their own identity and others (such as a magazine subscription) where they all share a logon. For an active family, the number of identities could add up to hundreds.

Still the best recommendations

The old security rules still apply:
1.    Identify whether a site needs high security or low security.
2.    Identify whether a site’s password needs to be memorable or can be looked up in a secured list as needed. There may be other special needs depending on the use.
3.    Use a unique password for every site that deserves any security.
4.    Every high security password needs high entropy.
5.    Humans are very poor at creating good randomization.
6.    The best practice is to use a well rated password manager.

The “Technology Interpreted”

The popular press, for the most part, are getting it right … as far as they go.

• Requiring ordinary users to change their password every 180 or 90 – or even 60! – days has always been a boneheaded policy. These may be often-used passwords that the users must remember. In that case, the new password is frequently a derivative of past passwords easily deduced from social engineering.

• Choosing a memorable sentence instead of complexity is merely trading the method to achieve the same level of entropy.

There’s that word again: “entropy.” In the context of stealing a password, the assumption is that the only way to crack a logon is by brute force. This is the measure that is given in the discussion of password haystacks ( That is, try every possible combination of passwords from “a ”, “b ”, to “z ”, and then “aa ”, etc.

In fact, a brute force password crack starts with “123456 ”, “password ”, “12345678 ”, etc. It continues through a dictionary of words, sorted by their frequency of use from previous cracks. As the new guidelines and examples come into use, you can be sure the dictionaries will add combinations of words and common phrases to the list. Soon, “now is the time for all good men to come to the aid of their country ” will be in the test right after “monkey ”.

What we really need in passwords

Effective use of a password depends on who’s using it and the effort to enter it. A skilled typist on a full keyboard could enter a 15-word passphrase in 10 seconds. On a phone that same phrase could take excruciating minutes with every character and capitalization another opportunity for error. Worse, in most cases, characters are blacked out so there’s no way to discover and edit errors.

Some logons require a memorable password while others only need to be available for a look up. You want the code to abort the bomb on the tip of your thoughts. But you can trust your video device to remember your streaming account and only reenter the password when the power blinks.

It is critical that every high-value site have a unique, strong password. Ideally, low-value sites should also be unique. The reason not to share passwords is because sites have been known to be sloppy about protecting your password. If a blogging site loses its database and hackers see that has the password 1qaz2wsx (the #15 most common password for 2015 – where’d that come from?); they might also try those credentials at banks and stores.

Two-factor authentication is a system where you enter a second, one-time credential in addition to or in lieu of a password. The most common form of second factor is for a website to send a code to a previously verified text, email, or voice account. You then enter the code to proceed. If you choose to use two-factor regularly, the least secure method is to receive an SMS message on your phone. The best method is with a time-based system such as Google Authenticator.

Final recommendations

• Short or long, choose a password that is appropriate to what you’re protecting.
• Never reuse a password you’re actively using elsewhere.
• If you hear that a site has been hacked or otherwise think a password has been compromised – change it now.
• Use a well-rated password manager and take advantage of all its features.

There are more notes on this topic. Download the document at:


Creative Commons License. This work by Bill Barnes is licensed under a Creative Commons BY-NC-SA 4.0 US License. Permissions beyond the scope of this license may be available at
(cc) 2017- Bill Barnes - Disclaimer - Home Page -

No comments: