Experts Say We Can Finally Ditch Those Stupid Password Rules
Good news: cyber-security experts have reached the same conclusion as the rest of us when it comes to passwords—current rules are annoying and ineffective.
According to National Institute of Standards and Technology (NIST), it’s time to ditch the current practice of forcing people to randomly change their passwords every few months. Meanwhile, the federal agency also said there’s no evidence that requiring people to include numbers and special characters is worthwhile.
In other words, we may soon be spared the task of coming up with a password like MickeyMou$e1! and then having to change it a month later.
NIST published these findings on Tuesday in draft guidelines that will help determine the best security practices in government departments and in many corporate IT shops.
Get Data Sheet, Fortune’s technology newsletter.
While the agency document is written in turgid bureaucrat-speak, the ideas it proposes carry a lot of common sense and are likely to make life more difficult for hackers. For instance, the report points out that people respond to demands for special password characters with very predictable responses.
“Everyone knows that an exclamation point is a 1, or an I, or the last character of a password. $ is an S or a 5. If we use these well-known tricks, we aren’t fooling any adversary. We are simply fooling the database that stores passwords into thinking the user did something good,” Paul Grassi, one of the NIST report authors, told CSO Online.
Instead, NIST proposes a different security measure: allowing people to use passwords of their choosing (no more “8 characters with an upper case letter and a symbol”) but subject to a blacklist of terms that are easier to guess for hackers. Specifically, in the words of the guidelines, here is what should be off-limits:
- Passwords obtained from previous breach corpuses.
- Dictionary words.
- Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
- Context specific words, such as the name of the service, the username, and derivatives thereof
NIST’s recommendation is also consistent with other recent research that suggests the best advice for choosing a password is to choose a long one like “iwanttodriveaTesla.” The benefits are that a long string of text letters is very hard for hackers to crack while also being easy for the user to remember.
As for changing passwords, NIST says system administrators “should not require memorized secrets to be changed arbitrarily (e.g., periodically)” but only in if the user asks to change it, or if there is evidence of compromise.
Meanwhile, the NIST report also offers supports the general trend in favor of multi-factor authentication—using an external token or even a hardware device (like these Yubico keys profiled in Fortune) to confirm a user’s identify and increase security.
So will all this make us safer? Probably. But other experts say companies must take account of their users when developing security solutions. According to Tom Kemp, the CEO of identity management firm Centrify, password requirements should change depending on whether the login is for a customer or for a key IT employee who has “the keys to the kingdom.”