KUNM

Forget Tough Passwords: New Guidelines Make It Simple

Aug 14, 2017
Originally published on August 15, 2017 3:45 pm

Here's what we've been told about passwords:

  • Make them complicated.
  • Use numbers, question marks and hash marks.
  • Change them regularly.
  • Use different passwords for each app and website.

These guidelines often leave users frustrated and struggling to remember them all.

Now the National Institute of Standards and Technology is about to make all of our lives much easier. The organization recently revised its guidelines for creating passwords, and the new advice sharply diverges from previous rules.

"The traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users," says Paul Grassi, senior standards and technology adviser at NIST, who led the new revision of guidelines.

The organization suggests keeping passwords simple, long and memorable. Phrases, lowercase letters and typical English words work well, Grassi tells NPR's Audie Cornish. Experts no longer suggest special characters and a mix of lower and uppercase letters. And passwords never need to expire.

"We focus on the cognitive side of this, which is what tools can users use to remember these things?" Grassi says. "So if you can picture it in your head, and no one else could, that's a good password."

While these rules may seem suspiciously easy, Grassi says these guidelines help users create longer passwords that are harder for hackers to break. And he says the computer security industry in both the public and private sectors has received these new rules positively.

"It works because we are creating longer passwords that cryptographically are harder to break than the shorter ones, even with all those special character requirements," Grassi says. "We are really bad at random passwords, so the longer the better."

Previously, security experts recommended the use of password manager apps to ensure users' accounts were protected. Grassi says these apps are useful because they completely randomize the password, but he says they aren't necessary to maintain security.

Grassi stands by these new guidelines because, he says, previous tips for passwords affected users negatively and did not do much to boost security. When users change their passwords every 90 days, they often aren't dramatically changing the password, Grassi says.

"I'm pretty sure you're not changing your entire password; you're shifting one character," he says. "Everyone does that, and the bad guys know that."

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

AUDIE CORNISH, HOST:

I'm Audie Cornish with this week's All Tech Considered.

(SOUNDBITE OF MUSIC)

CORNISH: Here's the received wisdom about passwords. Make them complicated. Use numbers and question marks and hash marks. Change them regularly. And use different passwords for each app and website. Of course you may end up like this.

(CROSSTALK)

CORNISH: Now, all this probably sounds familiar to our next guest, Paul Grassi, right?

PAUL GRASSI: Absolutely.

CORNISH: Paul works at the National Institute of Standards and Technology. He's here because they have issued new guidelines on crafting passwords altogether. How come?

GRASSI: What we found out now that we have 10, 15, 20 years of data is that the traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users.

CORNISH: So give us the bullet points for your new guidelines. What should we be doing instead?

GRASSI: The new guidelines are extremely counter-intuitive but, we believe based on the data that we have, flip the paradigm on its head. It makes passwords easy for users to remember and very hard for bad guys to break. The guidelines now say long passwords are good. Phrases are good. Spaces are good. Lowercase, just typical English words is good - no need for special composition rules, no need for lower, upper, number, characters like exclamation or at symbols. And don't expire them.

CORNISH: So I could have a password that is essentially, Paul Grassi, welcome to the studio.

GRASSI: You could, provided that you believe nobody would know that that's your password. We focused on, what tools can users use to remember these things? So if you can picture it in your head and no one else could, that's a good password.

CORNISH: This seems suspiciously easy. Why does it work?

GRASSI: It works because we're creating longer passwords that cryptographically are harder to break than the shorter ones even with all those special character requirements. We are really bad at random passwords, so the longer, the better.

CORNISH: How has the computer security industry received (laughter) this suggestion?

GRASSI: We are getting nothing but positive feedback. As a matter of fact, I'd be remiss if I took credit for this update. This is the result of a culmination of feedback from the private and public sectors.

CORNISH: For a long time, people were saying what you need actually is a password manager. So this is one program, kind of one password to rule them all. And no matter how many different websites and online stores and things you're using with various different passwords, this one vault, so to speak, would keep them all. Is that still in the guidance?

GRASSI: It absolutely is. We have requirements or recommendations that allow - we stopped short of endorsing them because we think this is a personal decision. But they certainly are supported in our guidelines and can be a good thing, especially because of the fact that what they're doing is completely randomizing the password.

CORNISH: So at the end of the day, you are here to free us from the tyranny of our IT departments and their incredible demands on our password selection.

GRASSI: We hope so. The old wisdom, even though it sounds like it should work because it's complicated and changing things, seems to make sense - we actually found that it does everything negative for usability and really not a whole heck of a lot for security, especially when you look at the paradigm of changing your passwords every 90 days. I'm pretty sure you're not changing your entire password. You're shifting one character.

CORNISH: (Laughter).

GRASSI: Everyone does that.

CORNISH: You're on to me, Paul Grassi, is what you're saying (laughter).

GRASSI: Everyone does that, and the bad guys know that. So that is a really, really weak control from a security perspective.

CORNISH: Paul Grassi is senior standards and technology adviser at the National Institute of Standards and Technology. Thanks for coming in.

GRASSI: Thank you for having me. Transcript provided by NPR, Copyright NPR.