{"id":2234,"date":"2018-08-29T18:28:18","date_gmt":"2018-08-29T22:28:18","guid":{"rendered":"http:\/\/blog.bitsofgenius.com\/?p=2234"},"modified":"2018-08-29T18:28:18","modified_gmt":"2018-08-29T22:28:18","slug":"real-password-security-using-the-kiss-principle","status":"publish","type":"post","link":"https:\/\/blog.bitsofgenius.com\/?p=2234","title":{"rendered":"Real Password Security, Using the KISS Principle"},"content":{"rendered":"<p>Keep It Simple and Stupid!<\/p>\n<p>If you hate those extremely over-complicated password requirements which paranoid corporations are embracing, you will love the changes that NIST issued about a year ago.\u00a0 The problem is, corporations aren&#8217;t really showing any interest in it.<\/p>\n<p>It is time to point them the the new guidelines, because the current ones are making life with a computer unbelievably complicated.\u00a0 The exact opposite of what computers are supposed to do for us.<\/p>\n<p>NIST changed the guidelines because, not only do the strict requirements of character patterns cause confusion among users, but those same guidelines actually make guessing the password easier rather than harder.\u00a0 Part of the problem with the initial guidelines in 2003 was that it violated a very simple principle:<\/p>\n<p style=\"text-align: left;\"><em>&#8220;The danger is not that computers will think like men, but that men will think like computers.&#8221;<\/em><\/p>\n<p>NIST realizes their mistake from 2003, and have now issued guidance that is more realistic&#8230; and actually might return the ease of computing that was originally promised.\u00a0 <a href=\"https:\/\/www.engadget.com\/2017\/08\/08\/nist-new-password-guidelines\/\" target=\"_blank\" rel=\"noopener\">You can read about it here<\/a>.<\/p>\n<p>Ironically, the math teacher who introduced me to computer programming in my teens had a very simple method for making his passwords:\u00a0 take a foreign word, and either spell it backwards or throw some random digits in&#8230; or both.\u00a0 Easy to remember because it was personal to him. Tom Lehrer, the Harvard professor who had a cult following int the 1950s and 1960s for his comedy acts on piano, clued us into this.\u00a0 In one of his acts, he referred to his eccentric friend Henry, who spelled his name Hen3ry&#8230; with the &#8220;3&#8221; being silent.\u00a0 You get the idea.<\/p>\n<p>The safest passwords are something personal to you, which others don&#8217;t know.\u00a0 Not secret desires, not old nicknames, &#8230; or other things you think are secret but you probably did share with a friend or two.\u00a0 It is just some things that got stuck in your mind that no one else knew or cared about.\u00a0 Some examples:<\/p>\n<ul>\n<li>Defunct ID numbers you had in your youth.\u00a0 Defunct meaning they have not been used for so long, that the government destroyed the records.\u00a0 Nowadays, that&#8217;s usually 10 years .<\/li>\n<li>A personal acronym: a phrase made from a personal statement only known to you.\u00a0 E.g.\u00a0 &#8220;Have you had your fill of the day&#8221; becomes HYHyfoTD, with any variation on capitalization you want.<\/li>\n<\/ul>\n<p>&#8230;and, of course, intentionally misspelled with maybe some extra characters thrown in (as my wise math teacher once said).\u00a0 The idea is to not make your password verbatim to the thing stuck in your head, but it is the root&#8230; and the rest is triggered by muscle memory (or, the memory you develop from doing a thing over and over again).<\/p>\n<p>So at least point out this change to your employer, vendors with whom you do online business, etc, and urge them to follow the new guidelines.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Keep It Simple and Stupid! If you hate those extremely over-complicated password requirements which paranoid corporations are embracing, you will love the changes that NIST issued about a year ago.\u00a0 The problem is, corporations aren&#8217;t really showing any interest in it. It is time to point them the the new guidelines, because the current ones [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21,20,13,17],"tags":[],"class_list":["post-2234","post","type-post","status-publish","format-standard","hentry","category-politics-and-public-policy","category-technologynetworking","category-technologythoughts","category-tips-and-tricks"],"_links":{"self":[{"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=\/wp\/v2\/posts\/2234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2234"}],"version-history":[{"count":4,"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=\/wp\/v2\/posts\/2234\/revisions"}],"predecessor-version":[{"id":2238,"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=\/wp\/v2\/posts\/2234\/revisions\/2238"}],"wp:attachment":[{"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.bitsofgenius.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}