Even the experts think some password-strength requirements are dumb
You must use at least one uppercase letter, a symbol, and a number. Or, wait, maybe not.
According to the experts at the National Institute of Standards and Technology (NIST), some of the password-strength requirements drilled into our skulls over the years are actually not that helpful.
What’s worse, they may be counterproductive.
As such, the institute issued a new draft of security guidelines on May 11, 2017, aimed at security professionals and recommending several significant changes to the password requirements we’ve come to accept as a necessary part of life.
What’s different? Well, for one, the experts say that forcing users to create passwords which include numbers and random characters is no longer necessary.
“[Online] services have introduced rules in an effort to increase the complexity of [passwords],” reads the draft appendix. “The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveals that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
Basically, passwords full of #’s and &’s are hard to remember, and they don’t actually offer that much of a benefit. Instead, NIST recommends that people be allowed to choose any password of 8 characters or more — with a catch.
The catch being that whatever the user selects should be compared against a list of known common passwords. Lists of stolen passwords exist, and if the key to your email account is something like “monkey” then NIST says it should be rejected.
Who is doing the work of comparing your desired password against the aforementioned list? Don’t worry, it’s not you. Instead, that responsibility would theoretically fall to whatever service you’re trying to create an account with.
What else does NIST throw out the digital window? Why that would be a little annoying thing called forced password resets. That’s right, it turns out obligating users to change their passwords — regardless of any data breaches or lack thereof — is counterproductive. Of course, if a company discovers it’s been hacked, you should still be required to reset your login information.
The experts at NIST also go after what is a huge pet peeve of mine: security questions. Preset security questions that a user is forced to fill out, like “what high school did you attend,” are easily discovered by hackers via a simple Google search (as Sarah Palin once painfully discovered) and should be done away with entirely.
“Verifiers also SHALL NOT prompt subscribers to use specific types of information (e.g., ‘What was the name of your first pet?’) when choosing memorized secrets,” the draft declaratively states. Nice.
So, to recap: No special characters required, no forced password resets, and no fixed (easily guessable) security questions. It’s almost like all the password security advice we’ve been given is wrong.
Except that chestnut about using two-factor authentication. You should still definitely do that.