That looks like a secure password, right? It is. However, there’s no way I could possibly type that in accurately or remember it. Passwords that cannot be typed or remembered aren’t a big deal for online services if you use a password manager. They are a big deal for passwords you have to type in, like the one to log into your computer. Unfortunately, conventional password wisdom has it that users should be required to have complex passwords instead of memorable passwords. The National Institute of Standards and Technology (NIST) recently published changes to its password best practices. Its changes reflect conventional wisdom when it comes to password security:
Among other things, they make three important suggestions when it comes to passwords:
- Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
- Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
- Let people use password managers. This is how we deal with all the passwords we need.
The good news here isn’t so much that NIST published these recommendations but that system administrators are willing to follow NIST’s guidelines. None of the changes published by NIST are new, these practices have been advocated by security professionals for some time now. Unfortunately, many, if not most, system administrators have kept the old guidelines in place, which has lead to users having to come up with passwords that are complex enough to satisfy password policy requirements but simple enough to remember for the several months that password is valid for. Hopefully NIST publishing these changes will convince those administrators of the errors of their ways.