skip to main content
Back to all blog posts

Posted in: Privacy | Data Protection | Data Security/Privacy | Security | password | passphrase | NIST 800-63-3 | NIST 800-63B

Oct 18, 2016

Password Misery!

By Donald B. Johnston

We all hate passwords. Anyone who says s/he doesn't is fibbing.

I had an experience recently, while at the International Bar Association conference in Washington, that renewed my hatred for passwords. The word "hatred" is inadequate to express how I actually feel about passwords - it's more like the white-hot radiation of a million simultaneous supernovas.

I was in Washington doing a public presentation, and my notes were on my smartphone. What I didn't know was that our IT guys - God love 'em - changed our firm's password policy without notice and rolled it out just before my presentation. Of course they did. So, right in the middle of my presentation, when I wanted to access my notes, I got a message that told me it's time to change my password.

At this point I'm somewhere between gruntled and disgruntled, but I typed in a new password - twice - as instructed, expecting to access my notes.

But that was not to be. No. The password I had chosen was apparently no good, because it didn't have at least 8 characters. So I tried it again, but then I got a new message: it didn't have a capital letter, a number and a "special" character.

When you've got thumbs like mine, all characters are special - but I digress.

Anyway, I managed to put in a compliant password, twice, while my audience bemusedly looked on, and got my notes. I finished my presentation to a positive frenzy of enthusiastic snoring.

But what do you think happened when I tried to access my smartphone later on?

Of course you know. I couldn't get in.

For some reason, in the middle of my presentation, I must have made the same error twice. My smartphone, thinking (after a few erroneous attempts at logging in) that it was being hacked, finally erased itself, immolating my data, including all my messages and plane tickets and so on.

It was lovely. Words cannot express the transports of pure joy with which I was seized.

Which brings me to what I really wanted to talk about, and that is the latest in password advice from the U.S. National Institute for Standards and Technology (NIST), enshrined in Special Publication 800-63-3 and 800-63B: Digital Authentication Guidelines Authentication and Lifecycle Management. The documents are still in draft form now, but they read very well. You can get the password advice here.

Essentially what the draft guidelines say about passwords (which NIST glibly calls a Memorized Secret Authenticator) are the following:

  1. Passwords have to be at least 8 characters in length if chosen by a human being, and may be much longer if you like. In fact, if there is to be an upper limit, it has to be more than 64 characters.
  2. Or no less than 6 characters if chosen by a machine, e.g., 7*%?4T.
  3. The characters could include a space, an emoji, all ASCII characters and all UNICODE characters.
  4. There should be no password "hints". They just help hackers guess. No, the name of my first dog was NOT "Spot", it was "Schlep". And the name of my first girlfriend was not one of the girls in the high school yearbook. (I had no girlfriend, for reasons obvious to anyone who knows me well enough.)
  5. Passwords can't be on a list of previously used passwords, passwords that were subject to a previous breach, passwords that are found in a dictionary or passwords that are related to the user or the service ("donspassword" or "officeaccess").
  6. There should be a limit on the number of failed password entry attempts - then the user is locked out. (Or, as in my case, the smartphone commits suicide after 10 tries.)
  7. There should be no composition rules, such as "four numbers, three symbols, two uppercase letters and a partridge in a pear tree." Instead, people should write a unique password or passphrase that they can remember and no one else can guess. (I recommend against, "Now is the time for all good men to come to the aid of the party," but not because it's not a good phrase, rather because the party doesn't deserve the aid.)
  8. There should be no requirement to change passwords from time to time unless there is evidence of a breach. (Good news!)
  9. Stored passwords have to be "hashed" to make them resistant to hacking.
  10. Two-step (or two factor) authentication is recommended. (A password combined with a number that constantly changes. Both have to be correct for access to be permitted.)
  11. SMS should never be used in two-step authentication, because it's unsafe.

So, there you have it. I think that these new rules are pretty user-oriented and friendly, particularly because of the ability to have a long passphrase that uses spaces and because of the non-expiry policy.

Related Blogs

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
Ontario Court of Appeal Established New Privacy Rights – Utility Consumption Data and Grow Ops By Paige Backman Aug 21, 2017 If you are a utility monitoring consumption data, think twice before providing any of that information to the police. You may need to ensure the police first provide you with a warrant or other judicial authorization specifically requesting the information. The Ontario Court of Appeal, distinguis...

Posted in: Privacy

Insights TheSpotlight
Recent Changes to Ontario’s Personal Health Information Protection Act By Meghan A. Cowan Aug 17, 2017 There have been a number of new changes introduced with respect to Ontario’s Personal Health Information Protection Act (“PHIPA”). The Ontario government filed a new regulation on June 29, 2017 (Ontario Regulation 224/17 -- the “New Regulation”). The New Re...