We’ve all been there when it comes to creating passwords for a website, user account or other service. Create a strong password that is a minimum of 8 characters and includes at least one capital letter, one number, and one special character. Don’t write it down. Make it different from every other password that you use. And by the way, you’ll be required to change it in 3 months. It’s enough to make the most intelligent, rational human being tear their hair out while emitting a belly-splitting primal scream.
These complex, confusing and often frustrating password recommendations – considered IT best practice for over a decade – were based on guidance issued by the National Institute for Standards and Technology (NIST), a wonky, non-regulatory government agency under the Department of Commerce. NIST advances standardized measurements, standards, and technology across a range of industries, from electric power grids to electronic health records to atomic clocks.The agency also issues guidelines with which federal agencies must comply. These guidelines often become the foundation for best practice recommendations across a variety of industries, including cybersecurity. In 2003, NIST issued password guidelines that included many of the recommendations users love to hate: special characters, capitals, numbers, and frequent password changes. In many organizations these became codified as IT best practice.
In June of 2017, NIST issued new password guidelines which throw many of the old rules out the window. The new guidelines recommend that users do the following:
1. Use 2-Factor Authentication when possible.
Also known as 2FA or TFA, 2-Factor Authentication is an extra layer of security (also known as multi factor authentication) that requires:
- Username and password
- Something that only that user has on them,- for example, a physical token (like an ID card) or an additional code sent via SMS text or generated via a mobile app
You’ve probably used TFA before, even if you don’t realize what it was called. For example, when you log into a bank website, you might have to 1. enter your username and password and then 2. enter a temporary code that is then sent to you via email or text message after you have submitted your log-in credentials. Some online services, require TFA by default, but many others provide it as an option, including Google, Microsoft, Apple, Facebook, Instagram, Twitter, PayPal, and others. Although TFA means logging in to an account will take an extra step, it adds an important layer of security. Don’t rely on passwords alone to protect anything of value.
2. Use a passphrase consisting of multiple words that you can picture in your head instead of a password to secure your accounts.
Longer passphrases are better than shorter ones because they take longer for a computer to crack. The passphrase should be difficult for others to guess, but easy for you to remember. For example: yellow dog red convertible
It’s important to use random words that don’t normally go together for your phrase, not song lyrics or common sayings.
3. Create a unique passphrase for each account.
Consider using a password manager, which is a software application that is used to store and manage user passwords for different online accounts.Stored passwords are typically encrypted, requiring the user to create a master password to access all managed passwords. Password managers can also include features like automatic form filling and random password generation, making it easy for users to use unique passwords across sites.
The new guidelines also recommend that passwords be changed only when an account has been compromised. (Cue tears of joy from computer users everywhere!)
The good news is that these new password guidelines take into account the realities of human nature and make it much easier for users to create and remember truly secure passwords/passphrases. The bad news is that corporate IT departments are often slow to change, meaning that many websites and companies will cling to to the old password guidelines because, well, that’s the way things have always been done. It may take years for companies and websites to adapt. In the interim, you can use a password manager, or you can still follow the NIST passphrase recommendations by tweaking them to include capital letters, numbers and/or special characters as required. You’ll also probably need to create a shortened passphrase version for those applications and websites that actually impose a maximum password length (such as 16 characters) which literally fly in the face of both common sense and the new NIST guidelines. Nevertheless, the new guidelines are a step in the right direction for beleaguered users.
Susan M. Bearden is an education technology consultant for the Future of Privacy Forum and the Chief Innovation Officer for the Consortium for School Networking. She was previously the Senior Education Pioneers Fellow at the U.S. Department of Education’s Office of Educational Technology in 2015-2016, and the Director of Information Technology at Holy Trinity Episcopal Academy in Melbourne, Florida.