Small business and IT executives should update their password methodologies to incorporate the latest NIST thinking.
The National Institute of Standards and Technology's (NIST) thorough rewrite of password standards turns some basic rules upside down.
Since 2003 users have had to memorize strange combinations of letters, numbers and special characteristics that were supposed to be changed periodically. The new standards revoke all that and suggest usage of long, easy-to-remember phrases with no forced period for change. For most companies and users the new standards should be employed as soon as possible.
The conventions we currently use for passwords were created in 2003 by a mid-level manager at NIST and were first published in an eight-page primer called "NIST Special Publication 800-63, Appendix A".
This document has been accepted as gospel around the world for the correct way to address password creation, naming conventions, and change frequency. No matter what the variant is today that your firm works with, odds are it is a derivative of the original guidelines. Unfortunately, the author of the guidelines had no empirical data to work with – no one would share their password information.
So he created the standards based on a whitepaper written in the mid-1980s when computer access and passwords were limited to the few technically savvy individuals in academia, big business, and government.
In June of this year the Special Publication got a total rewrite, discarding key commandments that audit and security personnel take as an article of faith. The good news is that the new rules are easier to live with than the original set. The new Digital Identity Guidelines can be found at https://pages.nist.gov/800-63-3/sp800-63-3.html.
What Are the Key Changes?
There are two key changes to the rules: hard to remember alphanumeric combinations with (or without) special characteristics have been replaced by long, easy-to-remember phrases and password expiration advice has been dropped.
According to academics that study passwords, a series of four words can be harder to break than a shorter meaningless jumble of characters. To that point, cartoonist Randall Munroe calculated that it would take 550 years to crack the password "correct horse battery staple" whereas the password Tr0ub4dor&3 could be cracked in 3 days.
Computer security specialists have verified his calculations. (please see the cartoon next page)
Next page- Cartoon and Takeaway
About the author
Mr. Braunstein serves as Chairman/CEO and Executive Director of Research at the Robert Frances Group (RFG). In addition to his corporate role, he helps his clients wrestle with a range of business, management, regulatory, and technology issues.
He has deep and broad experience in business strategy management, business process management, enterprise systems architecture, financing, mission-critical systems, project and portfolio management, procurement, risk management, sustainability, and vendor management. Cal also chaired a Business Operational Risk Council whose membership consisted of a number of top global financial institutions.