Tech Talk #59 – Sep. 2, 2017
Passwords – the bad news and the good news
First, the bad news.
Back in 2003, Bill Burr, a manager at the National Institute of Standards and Technology (NIST), wrote a paper about computer passwords that eventually became the password mess we find ourselves in today. Burr’s eight-page password recommendation document, titled NIST Special Publication 800-63. Appendix A advised people to use irregular capitalization, special characters, and at least one numeral in their passwords. He was also the guy that suggested we change our perfectly good passwords every 90 days.
In an interview published in early August 2017 in The Wall Street Journal Burr said: “Much of what I did I now regret.” Burr is 72 years old and now retired.
In 2011, Randall Munroe (creator of the fabulously nerdy xkcd web comic) summed up the problems with passwords as “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” Here is a link to the xkcd panel about password strength: https://xkcd.com/936/
Now, the good news.
The NIST is drafting new password standards. Yay!
I’m not going to link to NIST Special Publication 800-63B, Digital Identity Guidelines, Authentication and Lifecycle Management published Aug 24, 2017. But, if you’re having trouble sleeping, go ahead and Google it.
I’ve read it, so you don’t have to. Fun facts: your password is known as a Memorized Secret, and an answer to your security question is known as a Look-Up Secret.
The document covers differing levels of security and user identifiers including biometrics (using your face, fingerprint, voice, etc.)
Here’s the good part. In Appendix A the NIST reports “Despite widespread frustration with the use of passwords from both a usability and security standpoint, they remain a very widely used form of authentication. Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe.”
So, if the old way isn’t working, what do they suggest? Hard to read between the lines here but it looks like we may be moving toward long passwords that use random common words or passphrases. Long seems to be the way to go.
Going back to Randall Munroe’s example cited above, we seem to be headed in a direction where four random common words can be your password; something like correct horse battery staple would be a valid password.
Now we just need every web site on the planet to change their security policies.
Changing the size of text in your browser
Every browser has a way to make the text on a web page larger, but it’s different in each browser. Here’s an easy way that works on any Windows browser:
- Press and hold down Ctrl while scrolling the mouse button
Special bonus: this tip works on almost any program that runs on Windows
My computer could be more encouraging. You know, instead of “invalid password,” why not something like, “Ooooh, you’re so close!”? – Lisa Porter
(I couldn’t find anything about the specific Lisa Porter that may have said this, but it’s a good quote, and it fits this week, so here it is.)
Do you have a computer or technology question? Greg Cunningham has been providing Tehachapi with on-site PC and network services since 2007. Email Greg at firstname.lastname@example.org.