“Strong” Password Follies

You may have seen this already, but if not, brace yourself:  everything you’ve been told about creating “strong” passwords has turned out to be wrong — or at least misguided.

Meet Bill Burr.  In 2003, he was a mid-level manager at the National Institute of Standards and Technology who was asked to create guidance on the development of computer passwords.  Burr then authored an eight-page manifesto, enticingly called “NIST Special Publication 800-63, Appendix A,” that articulated two by-now familiar rules that have frustrated computer users ever since.  First, you’re supposed to come up with passwords that feature both capital and lower case letters, numerals, and characters — so instead of a password like “Tubesteak” you’d have a “strong” password like “TubesTeak$123.”  And second, you need to change your password every 90 days.  Special Publication 800-63 quickly became a kind of bible for the IT geeks and was widely adopted by the large companies and organizations that employ us, causing us to need to develop new, creatively configured passwords on a regular basis.

51juanfwf9l-_sy445_So, what’s the problem?  Isn’t computer data security worth the hassle of occasional password changes that use the 800-63 rules to strengthen our defense against soulless computer hackers?

Perhaps it would be . . . except that Mr. Burr really didn’t figure human nature into his “strong” password analysis.  It turns out that people are pretty unimaginative when it comes to password development, so they end up using predictable approaches to their SP 800-63 compliant passwords, by substituting numbers or characters for the letters they resemble.  And people are forgetful, don’t easily remember their passwords, and don’t want to to be locked out of their systems due to a memory failure, so they write their passwords down, which just increases the security risk.  And, finally, hackers are clever, and can come up with software that anticipate the predictable rules people use to create those “strong” passwords.  All of  which means that the annoying NIST 800-63 rules lead people to create passwords that really aren’t that “strong” after all.

Mr. Burr concedes defeat, and says:  “Much of what I did I now regret.”  And NIST has come out with new guidance that encourages users to pick a string of random words and only change them in the event of a data breach.  (Of course, IT departments being what they are, it may take a while for the new rules to supplant the old.)

Who knows?  Maybe people will decide to use curious conventions, like the process you’re supposed to us to develop your “porn actor” name, to create passwords.  That naming convention says you combine the name of your first pet with the name of the street you lived on in grade school to come up with your “porn actor” name.

That would make me “GeorgeOrlando,” which wouldn’t be a bad password.  I can almost hear Allen Ludden whispering it now.

Password Obscenity Roulette

Hacking hackers are everywhere these days, and all at once.  For the IT guys amongst us, that means tinkering with firewalls and new defensive software and systems vulnerability checks and incident response plans and all of the other technical gibberish that makes IT guys boring death at a party.  For the rest of us, we can only groan in grim anticipation, because we know that we’re going to be asked to change our password . . . again.

rouletteOne of the great challenges of modern life is remembering all of the different “passwords” that we must inevitably use to access our various electronic devices and internet accounts and computer access points.  Unfortunately, we can’t use passwords like Allen Ludden would recognize. In fact, they can’t be a properly spelled word at all.  So that it’s a “strong” password, it’s got to include a weird combination of capitalized and lower case letters, numbers substituting for letters, and random characters, like ampersands and pound signs and question marks.  The result often looks like the sanitized representation of cursing that you might see from the Sarge in a Beetle Bailey cartoon — minus only the lightning bolts.  (@#%*$^@#!)  In a way, that’s pretty appropriate.

Of course, all of these suB5t!tu+ed characters, plus the fact that you need different passwords for different devices and accounts, plus the fact that passwords now must be changed much more frequently, make it impossible for the average human being to remember the passwords in the first place.  How many of us sit down at a computer or pick up our tablet and idly wonder for a moment what the &*%$# the password is?  And there’s the new year/check writing phenomenon to deal with, too.  When a new year comes, how long does it take you to stop automatically writing the old year in the date, because you’d been doing that for the past 346 days?  I had to change my iPhone password several weeks ago, and I still reflexively type in the old password every time I’m prompted, until I dimly realize that I’ve changed it and it’s time to key in the new one — if I can remember it.

There’s a positive aspect to this.  We’re all getting older, and people who deal with aging say that if you want to stay mentally sharp as the joints creak and the brain cells croak you need to play word games or solve puzzles.  Well, this generation has got that covered.  We don’t need silly games, because we’ve got frustrating passwords.


The Password Is . . .

IMG_2954Webner House readers of a certain age will recall the TV game show Password.  Hosted by Allen Ludden, the show featured contestants teamed with celebrities — one of whom always seemed to be Ludden’s wife, Betty White — who then had to get their teammates to say the “password” without saying the word itself.  The password always was disclosed to the TV audience by the breathlessly whispered phrase:  “The password is . . . .”

From my vantage point in one of the office buildings in Cleveland, I look out over partially frozen Lake Erie to the power plant in the distance, with condensation and smoke billowing from the smokestack, pushed by a stiff breeze and starkly visible against the cloudy gray sky, and I think:  “The password is . . . tundra.”  Or:  “The password is . . . frigid.”  Or:  “The password is [insert your choice of word depicting deep, bone-chilling cold].”