How NIST Made Me Excited About New Password Rules


I’m going to go ahead and say it: I’m Pumped! About something in the NEWS!

How has your recent news feed looked? A bit dismal, if you’re anything like me. There’s the whole “we prefer the frog-in-a-boiling pot method of extinction” thing coming from the White House. Well, and then there’s everything else coming from the White House.

It can all seem like it’s too much. We’ve got a government deliberately ignoring science, publishing a budget that cuts the estate tax – but relies on its revenue continuing because… rich dead people are generous? Oh, and then there’s the whole double counting thing. (But don’t worry, Mick Mulvaney now says it was on purpose.) Fortunately for us all, there’s great news. It’s about… passwords!

Who would have ever expected that good news in the “reality and practical experience” matters arena would come from password guidelines? Yeah, me neither. And yet, we have the outlines of the new recommendations from the National Institute on Standards and Technology (“NIST”). Even more importantly, it turns out I was totally right! Totally! Yeah, I’ll get to that.

But the best part…



We’re just all so damn proud!

That’s right, I’m getting pumped about a government agency evaluating the collective experiences we’ve had related to their rules, using that collective experience to determine what works and what doesn’t, and then taking that information and applying it. PUMPED.

Why am I so excited about this? Mostly, it’s because for years, the rules our companies have used to get their employees to password protect their computers and devices have been based on what the most tech-savvy IT specialist would do if he had no concern about memory, convenience, or give-a-f*cks. You think all of your employees care about the strength of their passwords as much as your IT manager does? Then you should really look into one of the many open positions in the Trump Administration.

So a few quick points before we get to the new standards:

1) What is NIST and Why Do They Have All This Password Power?

NIST is a standards laboratory that operates under the umbrella of the U.S. Department of Commerce. That’s right, they measure things. With a mission to promote industrial standards and competitiveness, you might be surprised that an agency that got its start in 1901 (before Hedi Lamar even invented encryption during lunch breaks from her movie star career) is somehow the right agency to be doing all of this.

Well, since I’m not going to waste your time with the history of NIST, just accept the fact that they’re in charge. Their security standards are considered to be pretty much the gold standard in what we should be doing (but probably aren’t) to keep our data safe from hackers. In fact, President Obama’s Cybersecurity Executive Order (from which Trump did what Trump does – plagiarize – in order to come up with much of his own cybersecurity order) is built around the NIST recommendation.

In other words, they’re the bee’s knees to your IT support (and your cyber liability insurance carrier).

2) What Types of Things Were in the Old NIST Guidelines?

Basically, everything you hated about your passwords at work. The guidelines recommended passwords exceed a certain length, most recently at least 12 characters. They recommended that your passwords include a combination of character types (lower-case, upper-case, numbers, symbols). They recommended that passwords be changed frequently.

Were these suggestions necessarily wrong? No. At least not in 1985.

The previous guidelines were based on the idea that frequent password changes, longer passwords, and complex combinations of letters and characters were more resistant to brute-force hacks, password-guessing attacks, and “dictionary” attacks (attacks that essentially looked for words in a dictionary – not all concepts are complex!).

3) Why Were the Previous Guidelines NIST Created No Longer Effective?

Well, two reasons. Most importantly, because they were based on a rationale that no longer makes any sense. The majority of hacks today don’t involve guessing a password. Instead, hackers use keystroke loggers, phishing attacks, and social engineering to get passwords. More critically, there have been so many major breaches involving huge lists of passwords, hackers are able to simply consult those massive lists, called “Rainbow Tables,” to find the passwords you’ve previously used. And sadly, you’ve used that password before.

However, they also had another side effect that, in my humble opinion, resulted in a much less secure environment – they were more than a regular user wanted to deal with. Remember what I said above about the password rules being perfect for an IT technician? How many of your office assistants are also IT specialists? There you go.

It turns out that the rules for long, complex passwords that are changed every 90 days requires a lot more brain power than the normal person was willing to apply. So they used shortcuts – repeated passwords, character combinations that are easy to guess (e.g. pa$$word), or resorted to writing down the passwords in conspicuous locations. The rules on complexity made passwords something that everyone hated, and something most people would at least passively resist.

I can’t possibly put it better than XKCD did in this comic:


4) NIST’s New Password Guidelines

So how do we get passwords that are easy to remember, but difficult for computers to guess? Here’s what NIST’s new standards recommend:

  • Allow passwords to be up to 64 characters long – allowing more pass-phrases that are easier for a person to remember;
  • Allow users to use any character type they want, including spaces – allowing more pass-phrases (see a pattern?);
  • Allow all types of ASCII characters, Unicode characters, and (wait for it…) EMOJI! (Can anyone else see an office where 90% of the computers are unlocked by some version of the middle finger emoji? I can.);
  • Enable brute force protection (multiple wrong entries = sit in the corner and wait 24 hours to retry);
  • Eliminate character-type requirements on pass-phrases over a certain length;
  • Check passwords against lists of passwords that have been obtained from previous breaches.

There are more, but the basic gist of it all is that your password rules should reflect what passwords are now: one part of your security against a data breach. No longer will a strong password keep a hacker at bay. In fact, a relatively weak password, when used in combination with effective two-factor authentication, will be much more valuable, and the new guidelines understand that.

Honestly, I didn’t think I’d be so excited about being right (see, I told you that requiring constant changing of passwords was actually a security risk!). Well, that’s not true. I’m always excited about being right. What I’m genuinely more excited about, though, is a standards organization promulgating a whole series of guidelines that are based not only on what we know to be secure practices, but also on how those practices function in the real world. Particularly the one occupied by those among us without the knowledge or, as I so eloquently put it earlier – give-a-f*cks concerning the strength of the password on their office computer.

THAT’S why I’m excited.

About the Author

bio 2Brian Focht is a civil litigation attorney and technology enthusiast. In addition to being the author of The Cyber Advocate, he is also the producer and host of the Legal Technology Review podcast, and co-founder of B&R Concepts, a small business technology consulting company.