Just when you thought all hope was lost of remembering your 16 character password with upper and lower case letters, numbers, and special characters; NIST comes to the rescue. That’s right! The National Institute of Standards and Technology wrote a brief addendum to SP 800-53 which simplifies Strength of Memorized Secrets. You and I refer to those “secrets” as passwords. It’s a light read, only 50 or 60 pages. I don’t really know because I didn’t want to print it and kill four trees. Anyway, the good news is Tom Sullivan wrote up a nice, short, one pageish, blog post about the draft from NIST. You can find it at NIST tweaks advice on passwords, says make them easier to remember. Thank You, Tom! And Thank You, NIST!
Seriously though, it’s a serious issue. We all need to take care in creating strong passwords to protect our data and that of our clients. Here’s the short list of how best to do that according to the new NIST advice:
- Make it easy to remember for you; e.g., “I rode a green bike as a kid.”
- Make it something private, not publicly known. (Sports team names are not good passwords.)
- The longer the better, longer than 12 characters. Personally, make it longer than 16 if the system supports that length.
- Hope the developers know to have password policies that prevent bad passwords.
Here’s the summary from the document.
A.5 Summary
Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration. As a result, users often work around these restrictions in a way that is counterproductive. Furthermore, other mitigations such as blacklists, secure hashed storage, and rate limiting are more effective at preventing modern brute-force attacks. Therefore, no additional complexity requirements are imposed.
And you thought all your tax dollars were going to waste! 🙂
Join our free monthly newsletter to stay up-to-date on HIPAA and cybersecurity.