Last year I provided a number of simple steps to lower the risk to your online presence without making your life harder. This year, I'm focusing on making logging into your accounts easier.
First, I'm going to share the takeaways from our new password guidance. Simply put: Use passphrases, not passwords.
Then, I'm going to explain the absolute most important thing to know about passwords: Try not to use them at all. And if you do, don't rely on passwords, or even passphrases, alone.
Work smarter, not harder
I've been a runner for a long time. A few years ago, I found myself in a really bad rut. I was under a lot of stress, so I had trouble sleeping. When I woke up, I’d be exhausted, so I'd sleep in a half hour. Because I was starting later in the morning, it would be hotter, so I'd run a little slower. Running slower meant more time would pass, so it would get even hotter, so I'd cut off a mile, but doing that made me disappointed in myself, which added to my stress and ended up making me even more exhausted.
After a while, I finally realized I wasn't helping myself.
Running was supposed to build me up, body and spirit, but I was in a cycle that was tearing both down. I changed the cycle to let my emotional and physical conditions dictate my running, not the other way around. Soon after, I was running longer, faster, more consistently, and with fewer injuries. I broke the cycle by having the way I function drive my training, and the results were unambiguously positive.
This may seem like a forced analogy, but that is the basic approach to change NIST took in rewriting its password guidance.
Over the years, our reliance on passwords, and the ease with which our adversaries can defeat those passwords, resulted in a negative feedback loop where users were subjected to increasingly complex, stressful and exhausting composition rules (upper, lower, and special characters, oh my!), increasing length requirements, password rotation requirements, and on and on.
Like pounding out more and more miles faster and faster, these looked like gains on paper but undermined the outcome we wanted: a safer and more convenient online experience.
As this XKCD comic points out, complex password rules actually drive us to create predictable, easy-to-guess passwords (“password1!” anybody?) or find other ways to make things easier on ourselves, e.g., reusing passwords across sites or saving them in spreadsheets or sticky notes. In practice, all those rules had made it easier for the bad guy, and harder—and less secure—for the user.
Our task: Find a better way
This summer, after a lengthy process with continual collaboration from government and industry, NIST released an update to Special Publication (SP) 800-63 to address the many changes that digital identity has undergone during that document's decade of existence. You can read more about that groundbreaking process here.
Among the huge number of things we wanted to do with the update was to give people guidance that would help them come up with passwords that were easy for them to remember, but hard for attackers to compromise. While the math of what makes a strong password hasn’t changed in theory, data from the past several years has revealed much about how people think about and cope with computer security. It was these human factors that served as the foundation for our recommendations.
So, without further ado, here are three simple steps to building a better password:
Step 1: Leverage your powers of association
The first lesson is about how humans remember. We're not particularly good at rote memorization. We're much better at remembering by association. Here's a simple example: Is it easier to remember the 20th letter of the alphabet or the letter that comes after “s”? As children, we didn't learn to associate a letter with the number of its corresponding place in the alphabet. What most of us learned was the alphabet song. The song helped us build associations between one letter and the next, with the upshot being that now we couldn’t forget our ABCs if we wanted to. Similarly, most of us rattle off our siblings’ names by their ages, likely oldest to youngest, months from January to December, and the planets from Mercury to Neptune (sorry, Pluto).
With a password composed of a random set of characters, there is, by definition, no association between one character and the next. Since “x” doesn't have a natural association with “&,” it's harder for us to memorize them.
Instead, we should use passphrases. Passphrases leverage things that we know are paired, like the letters in a word. Our brains are so good at recognizing groups of letters that form words that we don't even process the letters individually. If you look at the word “apple,” you don't say to yourself, “A-p-p-l-e, oh that's apple!” Your brain simply recognizes the word as a single image and converts it into a real-life image of the thing it represents—the classic red apple with a single green leaf on its stem, a bushel of granny smiths, or, for me, the perfect vector for peanut butter.
This ability to convert characters to words and words to images gets us to our second and third steps.
Step 2: Make the associations unique to you
So, we've established that, at least for password purposes, memorizing an entire word is no harder than memorizing a single letter. But we don't want to just replace 12-character passwords with 12-word passphrases—that would be a nightmare to type.
Instead, choosing just a handful of normal words or phrases can work, as long as whatever associates those words in your mind are known only to you.
Examples of bad passphrases: The names of your four kids; the colors of the rainbow; the Cavs starting lineup in game seven of the 2016 NBA finals when they came back from a 3-1 deficit and beat the Warriors to win Cleveland's first major sports championship in 52 years and then returned to The Land to be greeted by a giant parade attended by more than a million people … but I digress.
Instead, passphrases should be words that can go together in your head, but no one else would ever suspect. An example from my kitchen: “blender vent sauté pendant red chair.” These words all make sense, and they aren't even all things. Verbs work just as well.
Even if someone knew I picked words based on my kitchen, they would need to see my kitchen and then determine which of the thousands of nouns and verbs I picked. So, from a hacker's perspective, it really is random.
All we have to do now is remember it. This brings us to our last step.
Step 3: Picture this
Here's where we get to use our brain's strengths again. Back to the apple example from step 1, we know our brains like to picture things, and we can use this to advantage.
Those words about my kitchen—blender vent sauté pendant red chair—happen to be visible to me from right to left as I sit at my dining room table. Again, a hacker wouldn't know that, but, no matter where I am, I can always close my eyes and see that image. Even if I rearrange my kitchen or move to a different house, I can easily conjure that image just as it was.
In short, make your passphrase a picture in your head.
Compared to a password like “uE*s3P%8V)”, I think it's pretty clear passphrases can improve usability. But are they really better for security?
The savings add up
I won't get deep into the math here, but suffice it to say that a decent passphrase is decidedly stronger than a 10-character password made of a mess of letters, numbers and symbols.
The basic idea is that, once you've put a hacker in the position of having to guess, you want them to have to make as many guesses as possible. At some point, it's costly enough—in time or computing power—that the hacker will give up, or not even bother in the first place.
Depending on which special characters you allow and a few other factors, the random 10-character password would have something like 65 bits of entropy, a measure of its strength. For the passphrase, even if the hacker knows there are exactly six English words of 5-11 letters each, and given the average American has a vocabulary of about 19,000 such words, the passphrase would have about 85 bits of entropy.
A bit of fancy math on how entropy relates to the required number of guesses shows that it would take about 1,050,000 times more effort to crack the passphrase. Yes, that's over 1 million times stronger—1 million times longer guessing time to crack.
It's not even close.
THE MOST IMPORTANT PART
Here's the thing about passwords and passphrases: They're both pretty bad no matter how you create them. That said, we still live in an online world dominated by passwords. They are static and knowable, meaning they are stored somewhere. If they’re stored somewhere, they can be stolen, and if they're stolen, they can be used by the thief. Passphrases are harder to guess, and we continue to make them harder to steal, but, by their very nature, neither passwords nor passphrases will ever be good enough to protect sensitive accounts on their own.
So, even though our new guidance should yield more usable and more secure passphrases, to safeguard those things that you really care about, you need to rely on something other than passphrases alone. I said it a year ago, and I’ll say it again: Turn on multi-factor authentication to protect your personal information!
The future, which is already here
Increasingly, we're seeing technologies that enable password-less login while appropriately mitigating risk. Some of our largest industry partners are moving in this direction already. We're incredibly optimistic that more forward-looking organizations will continue to adopt and improve these methods and that one day we'll finally move beyond the password. But ramping up takes time, and we can't let the promise of tomorrow keep us from making gains today.
Turn on multi-factor authentication, create passphrases instead of passwords, and see how working smarter, not harder, can make your life easier and more secure.
*Post edited 21 May 2018 to reflect that Neptune, not Uranus, is the farthest planet from the Sun