There are two key changes small business owners need to be aware of.
The National Institute of Standards and Technology’s (NIST) thorough rewrite of password standards turns some basic rules upside down.
Since 2003 users have had to memorize strange combinations of letters, numbers and special characteristics that were supposed to be changed periodically. The new standards rescinds all that and suggest usage of long, easy-to-remember phrases with no forced period for change. For most companies and users the new standards should be employed as soon as possible.
The conventions we currently use for passwords were created in 2003 by a mid-level manager at NIST and were first published in an eight-page primer called “NIST Special Publication 800-63, Appendix A”.
This document has been the accepted gospel around the world for the correct way to address password creation, naming conventions, and change frequency. No matter what the variant is today that your firm works with, odds are it is a derivative of the original guidelines.
Unfortunately, the author of the guidelines had no empirical data to work with – no one would share their password information. Go figure. So he created the standards based on a whitepaper written in the mid-1980s when computer access and passwords were limited to the few technically savvy individuals in academia, big business, and government.
In June of this year the Special Publication got a total rewrite, discarding key commandments that audit and security personnel take as an article of faith. The good news is that the new rules are easier to live with than the original set. The new Digital Identity Guidelines can be found here.
What Are the Key Changes?
There are two key changes to the rules: hard to remember alphanumeric combinations with (or without) special characteristics have been replaced by long, easy-to-remember phrases and password expiration advice has been dropped.
According to academics that study passwords, a series of four words can be harder to break than a shorter meaningless jumble of characters. To that point, cartoonist Randall Munroe calculated that it would take 550 years to crack the password “correct horse battery staple” whereas the password Tr0ub4dor&3 could be cracked in 3 days.
Computer security specialists have verified his calculations. (The cartoon is below.)
The automatic password expiration date never made total sense.
If one has a great password that has not been compromised, then why change it? I mean, what are the odds the new one is any better and would not be hacked sooner?
There is some logic to it and it does make some sense for certain individuals and companies that would be natural targets for being attacked but for most individuals it really had no value.
Plus if one combines this with the change of passwords to the series of four words that is virtually unbreakable today, then the password should not require changing unless there is an indication that the password has been stolen.
Next page- Password wrap up and summary