Unraveling the truth about the NIST’s new password guidelines

Is “Xr6Tn$*35QK” really a bad password? A recent article in The Wall Street Journal might lead you to think so. But a deeper look at the issue indicates otherwise.

The Journal story cites the author of NIST Special Publication 800-63. Appendix A, a document published in 2003 by the National Institute of Standards and Technology that contained detailed advice on digital identity guidelines and how to administer secure online services. That primer advised people to create passwords out of oddball combinations of upper and lowercase characters, punctuation and numbers, the thinking being that it would take a brute force cracking software too long to unscramble them to make the effort worthwhile.

The author, who has since retired, now says the advice he gave 14 years ago was based upon insufficient research and should be ignored. He recently backtracked on its 2003 guidance in a revamped set of recommendations that suggests that mixing letters and numbers provides insufficient protection.

The revised Appendix A in NIST Special Publication 800-63 explains that the effectiveness of choosing passwords “constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol…is not nearly as significant as initially thought, although the impact on usability and memorability is severe.” Instead, the institute now recommends that “Users should be encouraged to make their passwords as lengthy as they want, within reason.”

But that doesn’t mean eight-character passwords can’t be just as effective as a string of unrelated words like “foamwisetortoiseignoretrucksocialcycle.” A deeper look at the NIST guidance shows that not that much has actually changed.

The real issue with password strength isn’t length. It’s human nature. And entropy. Ready for more?

Running the numbers

The revised recommendations lean heavily on a 2010 report prepared by researchers from Florida State University, Redjack LLC, and Cisco IronPort Systems. Using mathematical models that would give most of us a headache, researchers analyzed the effectiveness of actual passwords derived from several large data breaches encompassing tens of millions of examples. They found that even when users complied with instructions to create passwords mixing letters, numbers and punctuation, their choices were often easily guessable by cracking software using a dictionary of a couple of hundred thousand words.

The human nature part of the equation is that people tend to follow certain patterns when creating passwords. They typically choose one or more root words from a standard vocabulary, or common names. When asked to add special characters, they tend to make predictable substitutions, such as “@” for “a” and “!” for “l.” Because the substitutions are predictable, they can be guessed algorithmically with pretty good accuracy.

This leads to password choices like “P@$$w0rd!,” which technically conforms to the rules, but which is a terrible password. The authors are particularly critical of website password checkers, many of which would permit “P@$$w0rd!” to go through unchallenged.

They also criticize the 2003 NIST guidelines for relying upon a concept called entropy, which was outlined in a paper written by mathematician Claude E. Shannon in 1948. Khan Academy has an excellent four-minute video that explains entropy simply. It’s a mathematical principle that’s useful in cryptography and messaging, but has no value in estimating optimal password length, they say. Unfortunately, that’s how the 2003 NIST report used it.

Not a job for humans

The 2010 paper basically concludes that asking humans to create passwords is a fool’s errand. Instead, it recommends that password selection should be an interactive process in which the authentication engine on the website suggests secure alternatives to the passwords people select rather than simply issuing a set of guidelines.

It doesn’t say long passwords are better than short ones. And, in the final analysis, neither do the revised NIST guidelines. Long passwords composed of random words strung together are hard to guess because of the number of variables involved. However, short passwords consisting of random strings of alphanumeric text and characters can be just as effective. The issue isn’t length but randomness.

In a nutshell, the revised guidelines impose no additional complexity requirements but recommend that server-side processes be strengthened to propose passwords that meet statistical standards for security. They are a strong argument for the use of password managers, which generate suggested passwords using randomly selected combinations of letters, numbers and special characters and store them in an encrypted vault. Users need never worry about remembering them.

The Journal report was accurate, but perhaps a bit overly simplistic in its conclusions. There’s no need to go back and change all your passwords. If you’re using a password manager, you should be in really good shape.