Why all the secure password advice you’ve heard is probably wrong

By Chris Dawson August 10, 2017 - 1:51 pm

From memory I think I’ve only changed a password on a marketplace account once and PayPal never and apparently that’s a good thing. The latest advice on password rules from the US National Institute of Standards and Technlogy (NIST) is that forcing users to change their passwords and setting arbitrary rules is a bad thing.

The original password advice was drawn up by a guy called Bill Burr for NIST and he freely admits in a recent Wall Street Journal interview that he was no security expert and got it wrong. Passwords with capital letters, numbers and other keyboard characters merely makes them harder for humans to remember but do nothing for computers. Hackers even know to try guesses replacing “E” with “3” and “a” with “@” or “o” with “0” and code it into their nefarious tools.

Worse still are the companies who force you to change your password every 30 or 90 days as the deluge of new passwords merely mean that many users make minor changes such as “nameofmydog001” to “nameofmydog002”. Any hacking dictionary can crack the new passwords just as easily as the old one in seconds. Forcing password changes (unless they’re forgotten or there has been a data breach) just makes the user more likely than ever to pick one that’s insecure and more likely to be cracked.

The problem is that the advice we’ve been accustomed to accepting as gospel for years merely made passwords harder for humans to remember and easier for computers to crack – the exact opposite of the original goal.

NIST’s new advice is to make things easier for the user but recommends a minimum of 8 characters (more for passwords for secure applications) but importantly not to set any maximum length. All ASCII characters should be valid including spaces, UNICODE characters and even emojis.

Longer ‘Pass phrases’ are to be encouraged as more secure and easier for humans to remember, so spaces and punctuation are vital.

The bad things to avoid when setting a password policy is to have rules on the composition of passwords. Forget the “Your password must contain at least one upper case letter, one digit and one special character chosen from ~`!@#$%^&*()-_+={}[]|\;:”<>,./?”. That’s just going to force people to reuse a password from elsewhere so that they have a chance of memorising it.

Password hints and knowledge based password recovery questions are also bad, forget telling me where you went to school or what the name of your first pet was. More importantly NIST say never force passwords to expire unless there’s good reason to (hack or forgetfulness!).

Naturally all passwords should be encrypted with hashing and salting so that if the password database is every compromised no one can crack the passwords and it would take decades or hundreds of years to do so with technology available today.

  • Mark.T
    1 week ago

    Glad to see they included spaces but the one I really want to see is backspace, that is, you type…

    AbCdEfG – then backspace twice – AbCdE – then add 2W – AbCdE2W

    .. and so on.

    I get that backspace is not ‘normal’ but it is Unicode (U+0008).

    Disclaimer: I have no idea if this is technically possible as passwords are usually only sent from the browser once the password is complete and you hit ‘Enter’.

Have your say

View our Comment Policy

Recent Comments

4 hours ago
Zeeshan Rahat: Okay! So, I think this is a new page for WonderLister and all old reviews are...
7 hours ago
Rob: Give me pay immediately any day, if you want it pay for it there and...
9 hours ago
Peter: Bankaccount = no fees! instead of Paypal. Especially for low priced items up to 5...
9 hours ago
cw: I think it's pretty safe to say if Amazon didn't exist someone else would fill...