There are times when you just know something is not right, but convincing the rest of the world can take some time. For example, the innovation–ahem, insanity–that has become the norm for password conventions.
I’ve often wondered if the people who come up with the ridiculous lists of password requirements are trying to exact vengeance on the world for some horrible childhood trauma they suffered.
Here’s a magnificent example of one of those lists, taken directly off of the Attorney General of Texas Child Support site (No, I’m not paying child support in Texas.)
1. The password must be exactly 8 characters long.
2. It must contain at least one letter, one number, and one of the following special characters.
3. The only special characters allowed are: @ # $
4. A special character must not be located in the first or last position.
5. Two of the same characters sitting next to each other are considered to be a “set.” No “sets” are allowed. Example: rr, tt
6. Avoid using names, such as your name, user ID, or the name of your company or employer.
7. Other words that cannot be used are Texas, child, and the months of the year.
8. A new password cannot be too similar to the previous password.
9. Example: previous password – abc#1234; unacceptable new password – acb$1243
10. Characters in the first, second, and third positions cannot be identical. (abc*****)
11. Characters in the second, third, and fourth positions cannot be identical. (*bc#****)
12. Characters in the sixth, seventh, and eighth positions cannot be identical. (*****234)
13. The previous 8 passwords cannot be reused.
For those of you who, like me, have been driven b*t$h1t crazy by password requirements, such as these, I’ve got great news. You’ve been vindicated! According to an article in the Wall Street Journal Bill Burr at the National Institute of Standards, who in 2003 originally made the recommendation on which much of this is based, told the Journal, “Much of what I did I now regret.”
After years of cursing at the cyber lords it would be nice to have someone to blame. However, it really wasn’t Burr’s fault. According to how Burr recounts it in the article, at the time there wasn’t much, if anything, for him to go on. In fact the computer administrators at NIST pretty much shut him down cold when he asked to see their passwords so he could get some idea of what they were using.
Without any data about the current state of affairs Burr turned to a 1980 (yes, that’s not only pre Internet but pre-PC) white paper which he used to come up with his recommendations.
Burr’s suggested password requirements, which included the use of capitals, numbers, and special characters, soon found their way into every nook and cranny of the Internet. And you and I have since cursed the insanity of it all on a daily basis.
NIST has rewritten the recommendations with a startling and very human-centric finding; the best password is a long memorable phrase of three words or more. For example, “puppies running on the beach.” Now, seriously, how could you ever forget that?
As it turns out, according to a a comic referenced in the article, a 44 letter lower case phrase of four words takes five millennia to crack versus only three days for a 28 character random string of letters, numbers, and special characters–never mind that you need a photographic memory to remember the latter.
Oh, and there’s one more thing; you know that requirement to change your password every 30/60/90 days? Yup, it’s wrong too.
So, to all of you who knew in your gut that there had to be a better way, you were right.