How many passwords do you have? Do you struggle to come up with a new password for each new account? Does the whole process drive you crazy? NIST offers a better way to make logging into your accounts easier.
The National Institute for Standards and Technology advises: Use passphrases. NIST advises not to use passwords at all, and if you do, don't rely on passwords, or even passphrases, alone.
This is because NIST concluded that complex password rules actually drive us to create predictable, easy-to-guess passwords (“password1!” anyone?) or we find other ways to make things easier, such as reusing passwords across sites or saving them in spreadsheets, or worse still, sticky notes. In essence, all those rules (14-character or more passwords, no repeating characters, lowercase, uppercase, etc.) make it easier for hackers, and harder — and less secure — for us.
A better way
This summer, after a rigorous process with continual collaboration from government and industry, NIST released an update to Special Publication (SP) 800-63 to address the many changes that digital identity has undergone during that document's decade of existence. You can read more about that groundbreaking process here.
The aim was to give users guidance that would help them come up with passwords that were easy for them to remember but hard for attackers to compromise. While the math of what makes a strong password hasn’t changed in theory, data from the past several years has revealed much about how people think about and manage computer security. It was these human factors that served as the foundation for NIST’s following recommendations.
Use your powers of association
It has to do with how we remember. Humans are not very good at memorization. We're much better at remembering by association. NIST offers a simple example: Is it easier to remember the 20th letter of the alphabet or the letter that comes after “s”? As children, we didn't learn to associate a letter with the number of its corresponding place in the alphabet. What most of us learned was the alphabet song. The song helped us build associations between one letter and the next, with the result being that now we couldn’t forget our ABCs if we wanted to. Similarly, most of us recite the months of the year and the numbers of the decimal numeral system in sequential order — the way we learned them in school.
With a password composed of a random set of characters, there is, by definition, no association between one character and the next. Since “x” doesn't have a natural association with “&,” it's harder for us to memorize them, NIST says.
Instead, we should use passphrases. Passphrases recognize things that we know are paired, like the letters in a word. Our brains are so good at recognizing groups of letters that form words that we don't even process the letters individually. If you look at the word “tent,” you don't say to yourself, “t-e-n-t, oh that's tent!” Your brain simply recognizes the word as a single image and converts it into a real-life image of the thing it represents — the classic green tent with flaps with spikes and ropes to tie it down.
The ability to convert characters to words and words to images is the basis of forming a strong passphrase unique to you.
For password purposes, memorizing an entire word is no harder than memorizing a single letter. But we don't want to just replace 12-character passwords with 12-word passphrases. Instead, choosing just a handful of normal words or phrases can work, as long as whatever associates those words in your mind are known only to you.
Examples of bad passphrases: The names of your kids, pets or favorite sports team.
Instead, passphrases should be word associations that can go together in your head, but no one else would ever suspect. An example could be items associated in a particular room in your house or words associated with activities you enjoy. For example: “mud, hike, tent, fish.”
Even if a hacker knew your favorite activities, he or she would need to guess which of the thousands of nouns and verbs you picked. So, from a hacker's perspective, it really is a random selection of words.
Picture an image
In short, make your passphrase create an image in your head. So using the example above you might create the image of your favorite campsite with pine trees, hiking trails and a lake.
Compared to a password, like “uE*s3P%8V)”, it’s evident that passphrases can improve usability. But are they better for security?
A passphrase unique to you is decidedly stronger than a 10-character password made of a muddle of letters, numbers and symbols.
The basic idea is that, once you've put hackers in the position of having to guess, you want them to have to make as many guesses as possible. At some point, it's costly enough — in time or computing power — that the hacker will likely give up, or not even bother in the first place.
Depending on which special characters you choose and a few other factors, the random 10-character password would have something like 65 bits of entropy, a measure of its strength. For the passphrase, even if the hacker knows there are exactly six English words of 5 to 11 letters each, and given the average American has a vocabulary of about 19,000 such words, the passphrase would have about 85 bits of entropy, according to NIST.
Entropy relates to the required number of guesses and shows that it would take about 1,050,000 times more effort to crack the passphrase — that's over 1 million times stronger — 1 million times longer guessing time to crack, NIST explained.
In the end, NIST warns that passwords and passphrases are both pretty bad for security. But we still live in an online environment driven by passwords. They are static and knowable, meaning they are stored somewhere. If they’re stored somewhere, they can be stolen, and if they're stolen, they can be used by a hacker. Passphrases are harder to guess, and we continue to make them harder to steal, but, by their very nature, neither passwords nor passphrases will ever be good enough to protect sensitive accounts on their own, NIST advises.
So, even though NIST’s new guidance should enable more usable and more secure passphrases, we still need to rely on something other than passphrases alone. Bottom line: turn on multi-factor authentication to protect your personal information!
Increasingly, there are technologies emerging that enable password-less login while appropriately mitigating risk. Some of NIST’s largest industry partners are moving in this direction already. One day we'll finally move beyond the password. But getting there takes time and we can't let the promise of tomorrow keep us from making strides today, NIST cautions.
BLUF: Turn on multi-factor authentication, create passphrases instead of passwords, and see how combining the two can make your life easier and more secure.
Read about the updated NIST SP 800-63, Digital Identity Guidelines, here and here.