skip to main content





Back to all blog posts
Oct 18, 2016

Password Misery!

We all hate passwords. Anyone who says s/he doesn’t is fibbing.

I had an experience recently, while at the International Bar Association conference in Washington, that renewed my hatred for passwords. The word “hatred” is inadequate to express how I actually feel about passwords – it’s more like the white-hot radiation of a million simultaneous supernovas.

I was in Washington doing a public presentation, and my notes were on my smartphone. What I didn’t know was that our IT guys – God love ‘em – changed our firm’s password policy without notice and rolled it out just before my presentation. Of course they did. So, right in the middle of my presentation, when I wanted to access my notes, I got a message that told me it’s time to change my password.

At this point I’m somewhere between gruntled and disgruntled, but I typed in a new password – twice – as instructed, expecting to access my notes.

But that was not to be. No. The password I had chosen was apparently no good, because it didn’t have at least 8 characters. So I tried it again, but then I got a new message: it didn’t have a capital letter, a number and a “special” character.

When you’ve got thumbs like mine, all characters are special – but I digress.

Anyway, I managed to put in a compliant password, twice, while my audience bemusedly looked on, and got my notes. I finished my presentation to a positive frenzy of enthusiastic snoring.

But what do you think happened when I tried to access my smartphone later on?

Of course you know. I couldn’t get in.

For some reason, in the middle of my presentation, I must have made the same error twice. My smartphone, thinking (after a few erroneous attempts at logging in) that it was being hacked, finally erased itself, immolating my data, including all my messages and plane tickets and so on.

It was lovely. Words cannot express the transports of pure joy with which I was seized.

Which brings me to what I really wanted to talk about, and that is the latest in password advice from the U.S. National Institute for Standards and Technology (NIST), enshrined in Special Publication 800-63-3 and 800-63B: Digital Authentication Guidelines Authentication and Lifecycle Management. The documents are still in draft form now, but they read very well. You can get the password advice here.

Essentially what the draft guidelines say about passwords (which NIST glibly calls a Memorized Secret Authenticator) are the following:

  1. Passwords have to be at least 8 characters in length if chosen by a human being, and may be much longer if you like. In fact, if there is to be an upper limit, it has to be more than 64 characters.
  2. Or no less than 6 characters if chosen by a machine, e.g., 7*%?4T.
  3. The characters could include a space, an emoji, all ASCII characters and all UNICODE characters.
  4. There should be no password “hints”. They just help hackers guess. No, the name of my first dog was NOT “Spot”, it was “Schlep”. And the name of my first girlfriend was not one of the girls in the high school yearbook. (I had no girlfriend, for reasons obvious to anyone who knows me well enough.)
  5. Passwords can’t be on a list of previously used passwords, passwords that were subject to a previous breach, passwords that are found in a dictionary or passwords that are related to the user or the service (“donspassword” or “officeaccess”).
  6. There should be a limit on the number of failed password entry attempts – then the user is locked out. (Or, as in my case, the smartphone commits suicide after 10 tries.)
  7. There should be no composition rules, such as “four numbers, three symbols, two uppercase letters and a partridge in a pear tree.” Instead, people should write a unique password or passphrase that they can remember and no one else can guess. (I recommend against, “Now is the time for all good men to come to the aid of the party,” but not because it’s not a good phrase, rather because the party doesn’t deserve the aid.)
  8. There should be no requirement to change passwords from time to time unless there is evidence of a breach. (Good news!)
  9. Stored passwords have to be “hashed” to make them resistant to hacking.
  10. Two-step (or two factor) authentication is recommended. (A password combined with a number that constantly changes. Both have to be correct for access to be permitted.)
  11. SMS should never be used in two-step authentication, because it’s unsafe.

So, there you have it. I think that these new rules are pretty user-oriented and friendly, particularly because of the ability to have a long passphrase that uses spaces and because of the non-expiry policy.

Most Recent Blogs

Insights FirmBlog
SCC Competition Law Class Action Decisions By Ken Clark Nov 01, 2013 On October 17, 2012, the Supreme Court of Canada heard argument in three appeals relating to the ... On October 17, 2012, the Supreme Court of Canada heard argument in three appeals relating to the certification (in Quebec, the authorization) of class actions: Pro-Sys Consultants Ltd. v. Microsoft Corporation, Infineon Technologies AG v. Option Consommateurs, and Sun-Rype Products Ltd. v. Archer...
Insights FirmBlog
Tax News Flash - Supreme Court of Canada Clarifies that Assuming Obligations “Embedded” in a Property is not Consideration for the Property By Ken Clark May 23, 2013 The decision of the Supreme Court of Canada (“SCC”) in Daishowa-Marubeni International Ltd. v. Ca... The decision of the Supreme Court of Canada (“SCC”) in Daishowa-Marubeni International Ltd. v. Canada, 2013 SCC 29, was released on May 23, 2013, reversing the decision of the Federal Court of Appeal. The issue on appeal to the SCC was whether or not the cost of certain reforestation obligations ...
Insights FirmBlog
One-man Trade and Speaking Mission to Australia March 2013 By Donald B. Johnston May 06, 2013 Between March 7th and 15th, I went to Sydney, Australia to be the keynote speaker at the UrbanGro... Between March 7th and 15th, I went to Sydney, Australia to be the keynote speaker at the UrbanGrowth NSW Annual Conference on the future of Sydney.  The conference organizers were very interested in Toronto’s experience compared to Sydney’s, particularly around densification of the City and ...