Think of a secure password. Visualize it. It probably looks like an incoherent mishmash of uppercase letters, lowercase letters, numbers, punctuation marks, and special characters. Something like EsnK9L4&ZXt+DZ3. This type of password takes its roots from an advisory written in 2003 for the National Institute of Standards and Technology, blandly titled “NIST Special Publication 800-63. Appendix A.” That piece of writing set the standard for what we think of as good password management. Now, according to the Wall Street Journal, the guy who wrote it says he was wrong.
Bill Burr quite literally wrote the book on password management, and now he’s revising that guidance. The advice, he says, was incorrect. Advice like changing one’s password every 90 days, otherwise known as rolling secrets, and demanding a variety of the aforementioned special characters. Strategies that wasted tons of time for millions of people over the last decade and a half, either by forcing them to change their password or try and remember a string of gibberish. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the Journal.
Special Publication 800-63 got a rewrite in June, writes the Journal, and the main guidance now focuses on “long, easy-to-remember phrases” and only resetting one’s password if there has been an actual breach. Most people forced to continually reset passwords only changed a few characters, making it relatively easy for hackers to guess. Longer passwords, even if they just use standard alphanumeric characters, become exponentially more difficult to guess than shorter passwords with a wider variety of character types.
The good news is that soon you might not have to change your pA55w0RD every couple of months. The bad news is that it’ll probably take a few years for these new standards to spread widely.