• United States




Unraveling the truth about the NIST’s new password guidelines

Dec 19, 20174 mins
Application SecurityMobile SecurityNetwork Security

tl;dr: if you’re using a password manager, you should be in really good shape.

6 password
Credit: Thinkstock

Is “Xr6Tn$*35QK” really a bad password? A recent article in The Wall Street Journal might lead you to think so. But a deeper look at the issue indicates otherwise.

The Journal story cites the author of NIST Special Publication 800-63. Appendix A, a document published in 2003 by the National Institute of Standards and Technology that contained detailed advice on digital identity guidelines and how to administer secure online services. That primer advised people to create passwords out of oddball combinations of upper and lowercase characters, punctuation and numbers, the thinking being that it would take a brute force cracking software too long to unscramble them to make the effort worthwhile.

The author, who has since retired, now says the advice he gave 14 years ago was based upon insufficient research and should be ignored. He recently backtracked on its 2003 guidance in a revamped set of recommendations that suggests that mixing letters and numbers provides insufficient protection.

The revised Appendix A in NIST Special Publication 800-63 explains that the effectiveness of choosing passwords “constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol…is not nearly as significant as initially thought, although the impact on usability and memorability is severe.” Instead, the institute now recommends that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”

But that doesn’t mean eight-character passwords can’t be just as effective as a string of unrelated words like “foamwisetortoiseignoretrucksocialcycle.” A deeper look at the NIST guidance shows that not that much has actually changed.

The real issue with password strength isn’t length. It’s human nature. And entropy. Ready for more?

Running the numbers

The revised recommendations lean heavily on a 2010 report prepared by researchers from Florida State University, Redjack LLC, and Cisco IronPort Systems. Using mathematical models that would give most of us a headache, researchers analyzed the effectiveness of actual passwords derived from several large data breaches encompassing tens of millions of examples. They found that even when users complied with instructions to create passwords mixing letters, numbers and punctuation, their choices were often easily guessable by cracking software using a dictionary of a couple of hundred thousand words.

The human nature part of the equation is that people tend to follow certain patterns when creating passwords. They typically choose one or more root words from a standard vocabulary, or common names. When asked to add special characters, they tend to make predictable substitutions, such as “@” for “a” and “!” for “l.” Because the substitutions are predictable, they can be guessed algorithmically with pretty good accuracy.

This leads to password choices like “P@$$w0rd!,” which technically conforms to the rules, but which is a terrible password. The authors are particularly critical of website password checkers, many of which would permit “P@$$w0rd!” to go through unchallenged.

They also criticize the 2003 NIST guidelines for relying upon a concept called entropy, which was outlined in a paper written by mathematician Claude E. Shannon in 1948. Khan Academy has an excellent four-minute video that explains entropy simply. It’s a mathematical principle that’s useful in cryptography and messaging, but has no value in estimating optimal password length, they say. Unfortunately, that’s how the 2003 NIST report used it.

Not a job for humans

The 2010 paper basically concludes that asking humans to create passwords is a fool’s errand. Instead, it recommends that password selection should be an interactive process in which the authentication engine on the website suggests secure alternatives to the passwords people select rather than simply issuing a set of guidelines.

It doesn’t say long passwords are better than short ones. And, in the final analysis, neither do the revised NIST guidelines. Long passwords composed of random words strung together are hard to guess because of the number of variables involved. However, short passwords consisting of random strings of alphanumeric text and characters can be just as effective. The issue isn’t length but randomness.

In a nutshell, the revised guidelines impose no additional complexity requirements but recommend that server-side processes be strengthened to propose passwords that meet statistical standards for security. They are a strong argument for the use of password managers, which generate suggested passwords using randomly selected combinations of letters, numbers and special characters and store them in an encrypted vault. Users need never worry about remembering them.

The Journal report was accurate, but perhaps a bit overly simplistic in its conclusions. There’s no need to go back and change all your passwords. If you’re using a password manager, you should be in really good shape.


Darren Guccione is the CEO and co-founder of Keeper Security, the world’s most popular password manager and secure digital vault. Keeper is the first and only password management application to be preloaded with mobile operators and device manufacturers including, AT&T, Orange, America Movil and HTC. Keeper has millions of consumer customers and the business solution protects thousands of organizations worldwide.

Darren is regularly featured as a cyber-security expert in major media outlets including CBS Evening News, Fox & Friends, USA Today, ABC and Mashable. Darren was a panelist at FamilyTech Summit at CES 2017 and keynote speaker at Techweek Chicago 2015. In 2014, Keeper won the Chicago Innovation Awards and in 2016 won the Global Telecoms Business Awards with Orange for Consumer Service Innovation. Darren was recently named in the Chicago Top Tech 50 by Crain’s Chicago Business.

He started the company with extensive experience in product design, engineering and development. At Keeper, Darren leads product vision, global strategy, customer experience and business development.

Prior to Keeper, Darren served as an advisor to JiWire, now called NinthDecimal. NinthDecimal is the leading media and technology service provider for the WiFi industry. He was formerly the Chief Financial Officer and a principal shareholder of Apollo Solutions, Inc., which was acquired by CNET Networks.

He holds a Masters of Science in Accountancy with Distinction from the Kellstadt School of Business at DePaul University of Chicago and a Bachelors of Science in Mechanical and Industrial Engineering from the University of Illinois at Urbana-Champaign, where he was the recipient of the Evans Scholarship and Morton Thiokol Excellence in Engineering Design Award. He was also the recipient of the Distinguished Alumnus Award presented by The Department of Industrial & Enterprise Systems Engineering. Additionally, Darren is a licensed Certified Public Accountant.

Darren is a community board member of the Chicago Entrepreneurial Center (1871) supporting the development of early stage companies and an advisor to TechStars – a Chicago-based technology incubator for innovative startups. Formerly, Darren served on the Committee of Technology Infrastructure under Mayor Richard Daley.

The opinions expressed in this blog are those of Darren Guccione and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.