A re-examination has been underway in recent years about the ideal structure for login passwords, the effectiveness of which is more important than ever in an age of ubiquitous cyber attacks.

The work was done at the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce charged with setting cyber security rules for non-military federal government agencies.

This summer, NIST researchers released Special Publication 800-63, which outlines new best practices dictating an end to frequent password changes, and a move away from pithy combinations of upper and lower-case letters, numbers and symbols.

Those guideline changes were thrust into the spotlight this week after former NIST manager Bill Burr – who created the original password standards in 2003 – said in a media interview that the previous approach was obsolete and based on inadequate information.

“Much of what I did I now regret,” the now-retired 72-year-old told The Wall Street Journal.

While NIST’s standards are only binding on employees of the covered federal agencies, they are often looked to and adopted by large and small businesses and other organizations as best practices.

The new guidelines suggest going away from passwords with rudimentary complexity restrictions like “MSPmentor2017!” which can be easily cracked by hackers and might offer the user a false sense of security.

Requiring that such passwords be changed regularly often encourages users to make the passwords too simple: think “MSPmentor2017!2,” with an integer at the end that can be increased by 1 each time the password needs to be updated.

In other cases, users will write their passwords down in insecure places.  

The new standards suggest organizations require unique but easy to remember words or phrases, of at least eight characters.

As part of that, the NIST best practices also call for organizations to do stringent validation of new passwords, using technology that rejects terms that mirror commonly used passwords.

Changing of passwords should be reserved for instances when there has been a known breach or after a specific threat.

Academic research into the ideal passwords has determined that using a series of four unique, memorable words offers much greater security than a shorter password with letters, numbers and symbols.

The Wall Street Journal cited a widely circulated cartoon in which creator Randall Munroe illustrated how it would take a computer 550 years to crack the password “correcthorsebatterystaple.”

By comparison, the password “Tr0ub4dor&3” could be cracked in just three days.


Send tips and news to MSPmentorNews@Penton.com.