Ken's Korner Newsletter Logo
September 2017
Secure Passwords?

Everything you think you know about Strong Passwords is Wrong!

You have probably heard this before. A strong password has at least eight characters with numbers, special characters upper case and lower case letters arranged in some nonsensical order and change it every ninety days. This has been the standard for passwords now for over a decade but the man who perpetrated this idea has a new message, N3v$r Ml^d (that’s Never Mind).

Only you can prevent weak passwords!
So why has the man who wrote the book on password management changed his mind?

In 2003 William Burr was a manager at the National Institute of Standards and Technology, (NIST). He was tasked with creating rules for password. He wanted them to be based on research but at the time he had no empirical data on computer password security. So he turned to a whitepaper from the 1980s. The result was NIST Special Publication 800-63. In a recent interview with The Wall Street Journal the retired 72 year old admitted that “much of what I did I now regret”.

This has resulted in the use of passwords that are hard to remember but rather easy to hack. It has also been shown that when you require people to constantly keep changing passwords they tend to come up with less secure passwords and change them in ways that a hacker could easily guess.

In organizations that do require complex passwords that age and must be changed you can often find passwords on sticky notes on the desktop or monitor. In one case a woman wore her password upside down on her dress! The administrators of these systems spend a lot of time resolving password issues. It is not a serious impediment to the hackers but a major pain in the @$$ to the people who are supposed to be using the system.

In a rather whimsical illustration by Randall Munroe, (https://xkcd.com/936/) we see that the password Tr0ub4dor&3 would take about three days to “hack”. While the pass phrase “correct horse battery staple” would take about 550 years. These results may vary depending on the type of “hacking” used but you are much safer with a simple pass phrase than a complex password.

In the June 2017 NIST issued a revision of that document,

(http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf). NIST now recommends long, easy-to-remember phrases and changing them only, “if there is a sign they may have been stolen”.

Let's try not to be too obvious here.

SplashData has released the 2015 version of its Worst Passwords List. Here are the top ten worst passwords:

  1. 123456
  2. password
  3. 123454678
  4. qwerty
  5. 12345
  6. 123456789
  7. football
  8. 1234
  9. 1234567
  10. baseball

If you are thinking of changing your password
DON’T USE one of these. If you are adding characters to your password to make it longer but these are based on simple patterns you’re still just as much at risk. Using common sports or pop culture terms is also a bad idea.

Another key point is to use different pass phrases for different applications. Do not use the same pass phrase or password at the bank, the grocery store, the doctor’s office, your favorite porno site and your music sharing site.

Research from Microsoft concluded that despite the many inadequacies of password strength meters they do lead to stronger passwords. You can test the strength of your password by using one (or more) on-line testing websites.

Here are a few you can try:

The results may not be entirely accurate but probably close enough. If the phrase, “Into the great beyond” only takes 38 quadrillion years to crack instead of 41 quadrillion years that’s probably strong enough.

And remember always back it up!

Go back to the top

Copyright © 2017. All Rights Reserved.
Ken's Korner Home Page
Index of Previous Editions
To get Ken's Korner Newsletter delivered to your Inbox CLICK HERE