29 Aug 2018
Real Password Security, Using the KISS Principle
Keep It Simple and Stupid!
If you hate those extremely over-complicated password requirements which paranoid corporations are embracing, you will love the changes that NIST issued about a year ago. The problem is, corporations aren’t really showing any interest in it.
It is time to point them the the new guidelines, because the current ones are making life with a computer unbelievably complicated. The exact opposite of what computers are supposed to do for us.
NIST changed the guidelines because, not only do the strict requirements of character patterns cause confusion among users, but those same guidelines actually make guessing the password easier rather than harder. Part of the problem with the initial guidelines in 2003 was that it violated a very simple principle:
“The danger is not that computers will think like men, but that men will think like computers.”
NIST realizes their mistake from 2003, and have now issued guidance that is more realistic… and actually might return the ease of computing that was originally promised. You can read about it here.
Ironically, the math teacher who introduced me to computer programming in my teens had a very simple method for making his passwords: take a foreign word, and either spell it backwards or throw some random digits in… or both. Easy to remember because it was personal to him. Tom Lehrer, the Harvard professor who had a cult following int the 1950s and 1960s for his comedy acts on piano, clued us into this. In one of his acts, he referred to his eccentric friend Henry, who spelled his name Hen3ry… with the “3” being silent. You get the idea.
The safest passwords are something personal to you, which others don’t know. Not secret desires, not old nicknames, … or other things you think are secret but you probably did share with a friend or two. It is just some things that got stuck in your mind that no one else knew or cared about. Some examples:
- Defunct ID numbers you had in your youth. Defunct meaning they have not been used for so long, that the government destroyed the records. Nowadays, that’s usually 10 years .
- A personal acronym: a phrase made from a personal statement only known to you. E.g. “Have you had your fill of the day” becomes HYHyfoTD, with any variation on capitalization you want.
…and, of course, intentionally misspelled with maybe some extra characters thrown in (as my wise math teacher once said). The idea is to not make your password verbatim to the thing stuck in your head, but it is the root… and the rest is triggered by muscle memory (or, the memory you develop from doing a thing over and over again).
So at least point out this change to your employer, vendors with whom you do online business, etc, and urge them to follow the new guidelines.
Leave a Comment
You must be logged in to post a comment.