Rick Green 200

NIST revises recommendations on passwords

Aug. 17, 2017

It’s common knowledge that humans are not good at choosing passwords. Longstanding advice is that instead of “password” you should use “…awkward new words rife with obscure characters, capital letters, and numbers—and to change them regularly,” according to Robert McMillan in The Wall Street Journal. The advice now, McMillan reports, is “N3v$r M1^d!”

The preference for complicated, hard-to-remember strings containing obscure characters extends back to 2003, when Bill Burr, a manager at NIST, wrote what McMillan describes as “…a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities, and large companies looking for a set of password-setting rules to follow.”

Unfortunately, the advice has turned out to be off the mark and “…actually had a negative impact on usability,” according to NIST adviser Paul Grassi. McMillan quotes Burr, now retired, as saying, “Much of what I did I now regret.” Burr adds, “It just drives people bananas and they don’t pick good passwords no matter what you do.”

Consequently, Grassi led a two-year effort to develop new recommendations.

The result? “Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen,” reports McMillan.

As for Burr’s effort, McMillan quotes Grassi as saying, “He wrote a security document that held up for 10 to 15 years. I only hope to be able to have a document hold up that long.”

Look for our September print issue for more on cybersecurity.

About the Author

Rick Nelson | Contributing Editor

Rick is currently Contributing Technical Editor. He was Executive Editor for EE in 2011-2018. Previously he served on several publications, including EDN and Vision Systems Design, and has received awards for signed editorials from the American Society of Business Publication Editors. He began as a design engineer at General Electric and Litton Industries and earned a BSEE degree from Penn State.

Sponsored Recommendations

Comments

To join the conversation, and become an exclusive member of Electronic Design, create an account today!