Machinedesign 11695 Password 528286738
Machinedesign 11695 Password 528286738
Machinedesign 11695 Password 528286738
Machinedesign 11695 Password 528286738
Machinedesign 11695 Password 528286738

All That Password Advice? Forget About It!

Aug. 24, 2017
Do we really need all these upper, lower, special characters, numbers, and spaces in passwords that then have to be changed every time we turn around?

For years, ever since the web really went worldwide and the internet encircled the globe, we’ve been told by IT folks, sites evincing concern for our privacy, and employers to make sure our passwords were robust and strong. Some sites even had little meters that would rate the strength of our proposed passwords on a scale from “weak” to “very strong.” The gold standard was passwords of at least eight alphanumerics (including upper- and lower-case letters, punctuation symbols, and special characters such as &, @, and #). And never use easily remembered words such as your name or alma mater or mother’s maiden name, or your social security or phone number, and for goodness’ sake, change them like clockwork every 90 days.

All that advice stemmed from a report from the National Institute of Standards and Technology, “NIST Special Publication 800-63,” which was written by a NIST manager about 15 years ago. Turns out that manager was wrong.

The eight digits didn’t seem to be much of a hurdle to run-of-the-mill hackers, and the advice (mandate, really, in the corporate world) to change them led to users going from a password of eXampl31 to eXampl32 three months later. This ended up with the passwords hackers could predict and algorithms that targeted such behaviors. NIST now admits those “best practices” were far from the best in terms of cybersecurity, plus, they had a “negative impact on usability.” Or, in other words, they were a recurring pain in the neck for all those working on networked computers.

Randall Munroe, a cartoonist, wrote a piece looking at the difficulty of cracking a NIST-approved password (Tr0ub4or&3) and a password consisting of four random words (correct horse battery staple). According to him, a computer programmed to make 1,000 guesses a second would take about three days to crack the first and about 550 years to conquer the second.

NIST has rewritten that publication (the new one can be found here). It drops the suggestion to change them every 90 days and to use upper- and lower-case letters, along with any number or symbol on a keyboard. Instead, a long, easy-to-remember string of words is recommended. And replace it only if there are signs your security wall has been breached.

I applaud NIST for updating their guidelines, but I wonder what took so long. If a cartoonist can figure out the vulnerability of those earlier passwords, certainly the whiz kids at NIST should have figured them out as well? Or maybe those software savants aren’t all that “savanty.”

Sponsored Recommendations

Altech's Liquid Tight Strain Relifs Catalog

March 13, 2024
With experienced Product Engineers and Customer Service personnel, Altech provides solutions to your most pressing application challenges. All with one thought in mind - to ensure...

Industrial Straight-Through Cable Gland

March 13, 2024
Learn more about Altech's cable glands and all they have to offer for your needs!

All-In-One DC-UPS Power Solutions

March 13, 2024
Introducing the All-In-One DC-UPS, a versatile solution combining multiple functionalities in a single device. Serving as a power supply, battery charger, battery care module,...

Smooth Sorting with SEW-EURODRIVE!

Feb. 22, 2024
Sorting systems are essential when it comes to warehouse automation, material handling, and distribution. SEW-EURODRIVE’s automated sorting solutions increase capacity, reliability...

Voice your opinion!

To join the conversation, and become an exclusive member of Machine Design, create an account today!