Why all the secure password advice you’ve heard is probably wrong

From memory I think I’ve only changed a password on a marketplace account once and PayPal never and apparently that’s a good thing. The latest advice on password rules from the US National Institute of Standards and Technlogy (NIST) is that forcing users to change their passwords and setting arbitrary rules is a bad thing.

The original password advice was drawn up by a guy called Bill Burr for NIST and he freely admits in a recent Wall Street Journal interview that he was no security expert and got it wrong. Passwords with capital letters, numbers and other keyboard characters merely makes them harder for humans to remember but do nothing for computers. Hackers even know to try guesses replacing “E” with “3” and “a” with “@” or “o” with “0” and code it into their nefarious tools.

Worse still are the companies who force you to change your password every 30 or 90 days as the deluge of new passwords merely mean that many users make minor changes such as “nameofmydog001” to “nameofmydog002”. Any hacking dictionary can crack the new passwords just as easily as the old one in seconds. Forcing password changes (unless they’re forgotten or there has been a data breach) just makes the user more likely than ever to pick one that’s insecure and more likely to be cracked.

The problem is that the advice we’ve been accustomed to accepting as gospel for years merely made passwords harder for humans to remember and easier for computers to crack – the exact opposite of the original goal.

NIST’s new advice is to make things easier for the user but recommends a minimum of 8 characters (more for passwords for secure applications) but importantly not to set any maximum length. All ASCII characters should be valid including spaces, UNICODE characters and even emojis.

Longer ‘Pass phrases’ are to be encouraged as more secure and easier for humans to remember, so spaces and punctuation are vital.

The bad things to avoid when setting a password policy is to have rules on the composition of passwords. Forget the “Your password must contain at least one upper case letter, one digit and one special character chosen from ~`!@#$%^&*()-_+={}[]|;:”<>,./?”. That’s just going to force people to reuse a password from elsewhere so that they have a chance of memorising it.

Password hints and knowledge based password recovery questions are also bad, forget telling me where you went to school or what the name of your first pet was. More importantly NIST say never force passwords to expire unless there’s good reason to (hack or forgetfulness!).

Naturally all passwords should be encrypted with hashing and salting so that if the password database is every compromised no one can crack the passwords and it would take decades or hundreds of years to do so with technology available today.