“Strong” Password Follies

You may have seen this already, but if not, brace yourself:  everything you’ve been told about creating “strong” passwords has turned out to be wrong — or at least misguided.

Meet Bill Burr.  In 2003, he was a mid-level manager at the National Institute of Standards and Technology who was asked to create guidance on the development of computer passwords.  Burr then authored an eight-page manifesto, enticingly called “NIST Special Publication 800-63, Appendix A,” that articulated two by-now familiar rules that have frustrated computer users ever since.  First, you’re supposed to come up with passwords that feature both capital and lower case letters, numerals, and characters — so instead of a password like “Tubesteak” you’d have a “strong” password like “TubesTeak$123.”  And second, you need to change your password every 90 days.  Special Publication 800-63 quickly became a kind of bible for the IT geeks and was widely adopted by the large companies and organizations that employ us, causing us to need to develop new, creatively configured passwords on a regular basis.

51juanfwf9l-_sy445_So, what’s the problem?  Isn’t computer data security worth the hassle of occasional password changes that use the 800-63 rules to strengthen our defense against soulless computer hackers?

Perhaps it would be . . . except that Mr. Burr really didn’t figure human nature into his “strong” password analysis.  It turns out that people are pretty unimaginative when it comes to password development, so they end up using predictable approaches to their SP 800-63 compliant passwords, by substituting numbers or characters for the letters they resemble.  And people are forgetful, don’t easily remember their passwords, and don’t want to to be locked out of their systems due to a memory failure, so they write their passwords down, which just increases the security risk.  And, finally, hackers are clever, and can come up with software that anticipate the predictable rules people use to create those “strong” passwords.  All of  which means that the annoying NIST 800-63 rules lead people to create passwords that really aren’t that “strong” after all.

Mr. Burr concedes defeat, and says:  “Much of what I did I now regret.”  And NIST has come out with new guidance that encourages users to pick a string of random words and only change them in the event of a data breach.  (Of course, IT departments being what they are, it may take a while for the new rules to supplant the old.)

Who knows?  Maybe people will decide to use curious conventions, like the process you’re supposed to us to develop your “porn actor” name, to create passwords.  That naming convention says you combine the name of your first pet with the name of the street you lived on in grade school to come up with your “porn actor” name.

That would make me “GeorgeOrlando,” which wouldn’t be a bad password.  I can almost hear Allen Ludden whispering it now.

The Password Is . . .

IMG_2954Webner House readers of a certain age will recall the TV game show Password.  Hosted by Allen Ludden, the show featured contestants teamed with celebrities — one of whom always seemed to be Ludden’s wife, Betty White — who then had to get their teammates to say the “password” without saying the word itself.  The password always was disclosed to the TV audience by the breathlessly whispered phrase:  “The password is . . . .”

From my vantage point in one of the office buildings in Cleveland, I look out over partially frozen Lake Erie to the power plant in the distance, with condensation and smoke billowing from the smokestack, pushed by a stiff breeze and starkly visible against the cloudy gray sky, and I think:  “The password is . . . tundra.”  Or:  “The password is . . . frigid.”  Or:  “The password is [insert your choice of word depicting deep, bone-chilling cold].”