EPISODE 50!! AND, it's our one year anniversary. So all around a big day for the BeBizzy Break Podcast!
In this episode we talk about what NIST has recommended for a new password strategy.
BBP : Episode 50 - Change Your Passwords... Again
First of all, congratulations to Dana and her team at the North Dakota Recreation and Parks Association on their new website. We launched http://NDRPA.com earlier this week. It's a Wordpress site with a calendar, subpage navigation and more. Check it out!
Also, I rescued two websites earlier this week from hacking. I'll use this as my weekly reminder for all of your to back everything up. Websites, databases, financial information, personal photos... everything. Better to put a little bit of prevention and spend a little bit of money now than pay a bunch of money to possibly recover (or worse, possibly NOT recover) lost data.
Back in 2003, Bill Burr (not the comedian) was a mid-level manager at NIST, the National Institute of Standards and Technology. They recommend standards on all sorts of things like official weight calibration, timing, and even technology guidelines like passwords. In 2003, Burr published NIST Special Publication 800-63 Appendix A, which spelled out the proper guidelines for creating and managing secure passwords on websites and networks. Those guidelines are still followed today.
The standards included a long password (8-12 characters), upper and lower case alphabet charcters, numbers, special characters and random. Sounds like every website you sign up for, doesn't it?
But now, Mr. Burr has stated that in regards to this document and policy, "Much of what I did I now regret." That's an unfair statement by Bill. Back in 2003, we didn't have much history of what computer network security was, and we definately didn't have the case studies of how criminals and mischief-makers would do to gain access to computer networks. All of his recommendations sounded solid, and while possibly flawed, are still in use today.
What NIST and computer analysts are finding though is humans always find an easy way to get around something tough, and frankly secure. The requirements would allow a user to create a seemingly random password like "Pa5sW0rD". You and I both know that says "PaSsWOrD", but the computer sees it matches Burr's recommendations.
So, when it comes time to update the password becasue of time requirements placed by the system adminstrators, or a data break. instead of creating a new, secure passwords, often we add something simple to it. "Pa5sW0rD" becomes "Pa5sW0rD1", the "5" and "s" switch places, or something simple like that to remember but still meeting Burr's recommendations.
Well the computer hackers have also figured out our shortcuts and have added some smarts into their password cracking to test out some of these easy switches. And it's working.
In June 2017, NIST has published a new version of NIST Publication 800-63, which outlines a very different recommended password architecture. What started out as a project to simply review and slightly revise Burr's policy recommendations became an eye-opening look into how users and criminals were using passwords. And results came back with a HUGE change in password policy.
Instead of a hard-to-remember, cryptic password, it was instead recommending four or five easy to remember words all pressed together. This is easy for the user to remember, change and use, and tough for the computer hackers to crack due to the length and randomness of the password.
A cartoon on XKCD.com estimated that a password created using Burr's methods, "Tr0ub4dor&3" would take only three days to crack using current methods. A password of four words all mixed together would take 550 years. That password was "correcthorsebatterystaple." Which one do you think is easier to remember, and change? And if you DO need to change the password, which is now only recommended in the event of a data breach or similar event, you can swap out an entire word instead of just adding a "1" or "!" to the password.
It will be interesting to see how this is adapted and implemented across websites and networks. Most rules won't allow passwords regardless of length, to not contain numbers, special charactes and upper/lower case, so there's a lot of things that have to change for these guidelines to become common, but it makes sense.