Donald B. Johnston, Aird & Berlis LLP
We all hate passwords. Anyone who says s/he doesn’t is fibbing.
I had an experience last year, while at the International Bar Association conference in Washington, that renewed my hatred for passwords. The word “hatred” is inadequate to express how I actually feel about passwords – it’s more like the white-hot radiation of a million simultaneous supernovas.
I was in Washington doing a public presentation, and my notes were on my smartphone. What I didn’t know was that our IT guys – God love ‘em – changed our firm’s password policy without notice and rolled it out just before my presentation. Of course they did. So, right in the middle of my presentation, when I wanted to access my notes, I got a message that told me it’s time to change my password.
At this point I’m somewhere between gruntled and disgruntled, but I typed in a new password – twice – as instructed, expecting to access my notes.
But that was not to be.
No. The password I had chosen was apparently no good, because it didn’t have at least 8 characters. So I tried it again, but then I got a new message: it didn’t have a capital letter, a number and a “special” character.
When you’ve got thumbs like mine, all characters are special – but I digress.
Anyway, I managed to put in a compliant password, twice, while my audience bemusedly looked on, and got my notes. I finished my presentation to a positive frenzy of enthusiastic snoring.
But what do you think happened when I tried to access my smartphone later on?
Of course you know. I couldn’t get in.
For some reason, in the middle of my presentation, I must have made the same error twice. My smartphone, thinking (after a few erroneous attempts at logging in) that it was being hacked, finally erased itself, immolating my data, including all my messages and plane tickets and so on.
It was lovely. Words cannot express the transports of pure joy with which I was seized.
Which brings me to what I really wanted to talk about, and that is the latest in password advice from the U.S. National Institute for Standards and Technology (NIST), enshrined in Special Publication 800-63-3 and 800-63B: Digital Authentication Guidelines Authentication and Lifecycle Management. The documents are still in draft form now, but they read very well. You can get the password advice here: https://pages.nist.gov/800-63-3/sp800-63b.html
Essentially what the draft guidelines say about passwords (which NIST glibly calls a Memorized Secret Authenticator) are the following:
- Passwords have to be at least 8 characters in length if chosen by a human being, and may be much longer if you like. In fact, if there is to be an upper limit, it has to be more than 64 characters.
- Or no less than 6 characters if chosen by a machine, e.g., 7*%?4T.
- The characters could include a space, an emoji, all ASCII characters (see https://en.wikipedia.org/wiki/ASCII) and all UNICODE characters (see https://en.wikipedia.org/wiki/List_of_Unicode_characters).
- There should be no password “hints”. They just help hackers guess. No, the name of my first dog was NOT “Spot”, it was “Schlep”. And the name of my first girlfriend was not one of the girls in the high school yearbook. (I had no girlfriend, for reasons obvious to anyone who knows me well enough.)
- Passwords can’t be on a list of previously used passwords, passwords that were subject to a previous breach, passwords that are found in a dictionary or passwords that are related to the user or the service (“donspassword” or “officeaccess”).
- There should be a limit on the number of failed password entry attempts – then the user is locked out. (Or, as in my case, the smartphone commits suicide after 10 tries.)
- There should be no composition rules, such as “four numbers, three symbols, two uppercase letters and a partridge in a pear tree”. Instead people should write a unique password or passphrase that they can remember and no one else can guess. (I recommend against, “Now is the time for all good men to come to the aid of the party”, but not because it’s not a good phrase, rather because the party doesn’t deserve the aid.)
- There should be no requirement to change passwords from time to time unless there is evidence of a breach. (Good news!)
- Stored passwords have to be “hashed” to make them resistant to hacking.
- Two-step (or two factor) authentication is recommended. (We have that at Aird & Berlis: a password combined with a number that constantly changes. Both have to be correct for access to be permitted.)
- SMS should never be used in two-step authentication, because it’s unsafe.
So there you have it. I think that these new rules are pretty user-oriented and friendly, particularly because of the ability to have a long passphrase that uses spaces and because of the non-expiry policy.
Don is Co-chair of the Technology Law Group, Co-chair of the Privacy & Data Security Group, and a member of the Corporate Commercial, Intellectual Property Law and Energy Law Groups for Aird & Berlis LLP . Don can be reached at email@example.com.