Everything you know about creating passwords is about to change.
The National Institute of Standards and Technology (NIST) recently released their new Digital Identity Guidelines, which explains how many of the security measures in place for passwords simply don’t work. According to the NIST, “Humans … have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed.”
In other words, it’s hard to remember “1S6u5^Q%,” so most users go with something simple like “cakeboss.” Previous guidelines indicated complexity would make passwords more secure, but when restrictions require a capital letter, number, and special character, users are more likely to adapt an easy password to match, turning “cakeboss” into “Cakeb0ss!” Furthermore, when required to change passwords every 90 days, users often make small changes (i.e., “Cakeb0ss!1”) rather than creating entirely new passwords. These minimal alterations are predictable and increase the risk of a security breach significantly.
The New Guidelines
Thanks to the NIST, the new guidelines focus on usability as a factor of password security. If someone can’t remember a password or must write it down because it is constantly changing, then it’s not secure. Because using numbers and special characters is so predictable, complexity is not as important as length and memorability.
For this reason, the NIST suggests that numbers and special characters not be required of users. Spaces should also be allowed so users can create strong password phrases. Simple phrases that the user can remember easily, even when lowercase and using normal words, are more secure than passwords like “1S6u5^Q%.”
The guidelines still indicate a minimum password length of 8 characters but propose allowing up to 64 so users can create strong password phrases. The NIST considers length a “primary factor in characterizing password strength.” A strong password is a combination of four or five words that the user can recall but cannot easily be guessed by a hacker or malicious software (i.e., “Milky Orange Clock Wolf”). Note that many sites currently do not allow spaces between words so you may need to remove them, but this will change as people adopt these new standards.
The NIST also puts more of the onus on the service rather than the user. They suggest that passwords be compared to “blacklists” of known compromised passwords before acceptance. Accounts should also limit the number of times a user can enter a wrong password before locking access for some length of time. This way users can create simpler passwords while service providers increase password security.
So, let go of notepads full of passwords too strange to be remembered. For sites that quickly adopt the NIST’s new guidelines, create strong password phrases only you’ll recall. Otherwise, we’ll have to wait for the rest of internet to catch up. Until then, password managers can keep track of those complex passwords far more securely than writing them down.