skip to main content
Back to all blog posts

Posted in: Privacy | Data Protection | Data Security/Privacy | Security | password | passphrase | NIST 800-63-3 | NIST 800-63B

Oct 18, 2016

Password Misery!

By Donald B. Johnston

We all hate passwords. Anyone who says s/he doesn't is fibbing.

I had an experience recently, while at the International Bar Association conference in Washington, that renewed my hatred for passwords. The word "hatred" is inadequate to express how I actually feel about passwords - it's more like the white-hot radiation of a million simultaneous supernovas.

I was in Washington doing a public presentation, and my notes were on my smartphone. What I didn't know was that our IT guys - God love 'em - changed our firm's password policy without notice and rolled it out just before my presentation. Of course they did. So, right in the middle of my presentation, when I wanted to access my notes, I got a message that told me it's time to change my password.

At this point I'm somewhere between gruntled and disgruntled, but I typed in a new password - twice - as instructed, expecting to access my notes.

But that was not to be. No. The password I had chosen was apparently no good, because it didn't have at least 8 characters. So I tried it again, but then I got a new message: it didn't have a capital letter, a number and a "special" character.

When you've got thumbs like mine, all characters are special - but I digress.

Anyway, I managed to put in a compliant password, twice, while my audience bemusedly looked on, and got my notes. I finished my presentation to a positive frenzy of enthusiastic snoring.

But what do you think happened when I tried to access my smartphone later on?

Of course you know. I couldn't get in.

For some reason, in the middle of my presentation, I must have made the same error twice. My smartphone, thinking (after a few erroneous attempts at logging in) that it was being hacked, finally erased itself, immolating my data, including all my messages and plane tickets and so on.

It was lovely. Words cannot express the transports of pure joy with which I was seized.

Which brings me to what I really wanted to talk about, and that is the latest in password advice from the U.S. National Institute for Standards and Technology (NIST), enshrined in Special Publication 800-63-3 and 800-63B: Digital Authentication Guidelines Authentication and Lifecycle Management. The documents are still in draft form now, but they read very well. You can get the password advice here.

Essentially what the draft guidelines say about passwords (which NIST glibly calls a Memorized Secret Authenticator) are the following:

  1. Passwords have to be at least 8 characters in length if chosen by a human being, and may be much longer if you like. In fact, if there is to be an upper limit, it has to be more than 64 characters.
  2. Or no less than 6 characters if chosen by a machine, e.g., 7*%?4T.
  3. The characters could include a space, an emoji, all ASCII characters and all UNICODE characters.
  4. There should be no password "hints". They just help hackers guess. No, the name of my first dog was NOT "Spot", it was "Schlep". And the name of my first girlfriend was not one of the girls in the high school yearbook. (I had no girlfriend, for reasons obvious to anyone who knows me well enough.)
  5. Passwords can't be on a list of previously used passwords, passwords that were subject to a previous breach, passwords that are found in a dictionary or passwords that are related to the user or the service ("donspassword" or "officeaccess").
  6. There should be a limit on the number of failed password entry attempts - then the user is locked out. (Or, as in my case, the smartphone commits suicide after 10 tries.)
  7. There should be no composition rules, such as "four numbers, three symbols, two uppercase letters and a partridge in a pear tree." Instead, people should write a unique password or passphrase that they can remember and no one else can guess. (I recommend against, "Now is the time for all good men to come to the aid of the party," but not because it's not a good phrase, rather because the party doesn't deserve the aid.)
  8. There should be no requirement to change passwords from time to time unless there is evidence of a breach. (Good news!)
  9. Stored passwords have to be "hashed" to make them resistant to hacking.
  10. Two-step (or two factor) authentication is recommended. (A password combined with a number that constantly changes. Both have to be correct for access to be permitted.)
  11. SMS should never be used in two-step authentication, because it's unsafe.

So, there you have it. I think that these new rules are pretty user-oriented and friendly, particularly because of the ability to have a long passphrase that uses spaces and because of the non-expiry policy.

Related Blogs

Posted in: Data Protection | Privacy | Data Security/Privacy

Insights TheSpotlight
New Notification Requirements for Data Breaches By Stephen Crawford Apr 13, 2018 As of November 1, 2018, if your organization suffers a data breach, new reporting requirements will be in place that may require you to notify consumers and the Privacy Commissioner of the breach – or else face a fine of up to $100,000.

Posted in: Privacy | Court Decision | Data Security/Privacy

Insights TheSpotlight
Texting and the Expectation of Privacy By Donald B. Johnston Dec 11, 2017 The Supreme Court of Canada published an important judgment on December 8, 2017, concerning whether or not Canadians have the right to expect that their texting conversations will remain private. Interestingly, the judgment of the court was split – which shows that even the cleverest lawyers can ...

Posted in: Privacy | Data Security/Privacy

Insights TheSpotlight
Equifax Breach - The Breach That Will Keep on Giving By Paige Backman and Meghan A. Cowan Sep 14, 2017 At this point, if you haven’t heard of the Equifax data breach, it could only be because you have rightfully been glued to the coverage of (or living through) Hurricane Irma, Harvey or Jose. On September 7, 2017, Equifax revealed that it was the subject of a cybersecurity breach over the s...