boot13If you’ve created an account on any service or web site in the last decade and a half, there’s a good chance you encountered some annoying password rules. The ones that insist on the use of mixed case letters, numbers, and punctuation.
Those weird rules started appearing after 2003, when the US National Institute of Standards and Technology (NIST) published a document entitled Electronic Authentication Guidelines (SP 800-63), which included a set of recommendations for password security. If you’re interested, there’s an archived version of the document (PDF), with slightly updated content (Ver. 1.0.1), on the NIST site.
The Electronic Authentication Guidelines document includes recommendations for ensuring the strength of user-created passwords:
- require a minimum of 8 character passwords, selected from an alphabet of 94 printable characters;
- require at least one upper case letter, one lower case letter,
one number and one special character; - prevent subscribers from including common words;
- prevent permutations of the username as a password; and
- force frequent password changes.
Users faced with these password-creation rules found ways to work around them, and in the process ended up with less secure passwords. Many users modified their existing passwords in very predictable ways, which made the work of guessing passwords much easier.
The author of those password rules now regrets much of what he said in that 2003 document: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” A new version of the NIST document eliminates many of the original recommendations.
NIST now recommends using long passphrases instead of complex passwords, as described in this classic xkcd comic: ‘correct horse battery stapler’ instead of ‘Tr0ub4dor&3’.
NIST’s new recommendations to site and service providers include eliminating requirements for the use of any particular type of character, eliminating password expiry rules, allowing passwords up to 64 characters long, and allowing the use of the clipboard in password fields.
The new rules make a lot of sense. Combined with the use of a good password manager, and remembering to avoid password re-use, they should make anyone who uses them much safer online.