Oh brother, here we go again…
There is a common thread, ALWAYS, when discussing passwords, particularly length, complexity, value.
There are a couple of reasons this is generally all bunk and the author of NIST Special Publication 800-63. Appendix A, does not have that much to apologize for.
First, some truth.
The information about passwords in the NIST publication was already dated when it was published in 2003. The author, Bill Burr, does have to apologize for that.
But not much else.
Secondly, some fact.
The people, almost *always* complaining about password rules and looking for any excuse not to follow them are usually people who don’t understand the science and math surrounding them. While people can recognize obvious bad passwords, good ones are actually much harder to spot, because good passwords have one thing in common, they are complex combinatorically.
Bet you never heard that word before… more on Combinatorics later…
Next, an unfortunate but all too natural phenomena of iteration, evolution and progress.
Lastly, before the boring stuff, there is no such thing as a secure anything. Security is a state, which changes from time period to time period and evaluated based on prevailing threats with some measure of risk assessment for both the known… and unknown threats.
So, by definition, there are no permanently secure passwords (or permanently secure anything).
Given enough time, tools, power, situation, opportunity (and opportunity cost), vulnerabilities, a little luck and desire, everything is crackable.
With that in mind, any advice on secure passwords WILL only be valid for a certain period of time.
So there is absolutely no excuse in not following that advice, it doesn’t really matter how you feel about it or how lazy your fingers are, with the knowledge that it is going to change at some later date.
This phenomena is generally a result of changes in technology and more importantly changes in the prevailing tactics used to get around it.
For example, in the 1970’s when everyone is using birthdates as passwords, once attackers know this is common, they proceed trying passwords with birthdates. Next, people start using the recommendations in the NIST 800-63 publication (which is 1980’s circa advice, despite it being published in 2003). So the attackers now know the majority of sites use these recommendations… and adjust their method of attack to include the NIST 800-63 recommendations.
This is natural, there is nothing you can do about it.
This is iteration. Next, evolution…
Cracking passwords takes time, the harder a password is to crack, the more time it takes. Of course, if it takes 100,000 years to crack a given password… that is a good password, why? Because you are likely to be dead for 99,900 years by the time it gets cracked and your bank account is long gone.
However, computer power increases periodically, thus, the time to crack a passwords shrinks. In addition, sometimes weaknesses are found in password encryption algorithms and that further shortens the time to crack them. This is evolution, these things can’t be stopped.
Ok, so let’s bring this all home.
At the heart of this discussion for passwords is Combinatorics. In math, combinatorics is the science of “Countable Discreet Structures”. Put in English… the study of counting sets of thing used in combination (i.e. If I have 3 objects, an apple, an orange and a banana, how many ways can I order them as a list of three items [Apple,Orange,Banana], [Orange,Apple,Banana], [Orange,Banana,Apple]… etc.
As the set of things grows and the number of items in the list also grows, this increases entropy (in English, the number of combinations).
Thus, low entropy sets are easy to crack, high entropy sets (or longer lists with more things I can use in each place in the set), gets progressively harder to crack. At some point, it gets so hard, the set of objects and length of the list becomes at first, exponentially large and if I keep going increasing either or both, geometrically hard. Randomness adds to entropy, but reality is, passwords are not truly random (even when using online password managers that supposedly generate random passwords). Computers don’t have a “random” anything, scientifically speaking, computers are only “pseudo random”. Plainly, randomness in computers starts from a set of initial conditions and iterates through an algorithm which creates a progressive random sequence of numbers. Thus, if you know the initial conditions and the algorithm, you can calculate the sequence of numbers, despite the sequence being random.
This is the goal for picking relatively secure (although realistically, temporally secure passwords), pick exponentially or geometrically hard to crack passwords; passwords with high entropy.
So here is the kicker, this still isn’t good enough… why… search space. If my set of objects is known (which it is, keys available to me on a keyboard) this is part of the space of objects an attacker can search through, then the only mystery is the length of my string of characters in the password. To make matters worse, if an attacker knows the limits of what I can use for a password, for example, some websites only allow for letters and numbers, it tells the attacker how s/he can further narrow the possibilities of what my passwords could be. Knowing corporate policy on passwords is also useful and clearly, if nearly everyone is following the recommendations of NIST 800-63, the attacker has even more advantage.
So even geometrically complex passwords can have weaknesses based on policy, prevailing trends, technically imposed limitations and available pools of characters.
So this is why you hear people say “passwords are useless and irrelevant”. Of course, this is all hogwash. They are not useless, they are only useless if you set them once and never change them, once they become an immobile target, time is on the attackers side for all the outlined reasons, changes in computer power, some predictability in the search space and the fact that the password isn’t really random. Cries that passwords are dead, “long live passwords”, are merely the cries of lazy ignorant people with no insight into what makes for a good password, it is literally like someone shouting “fire” in a crowded theater… it’s irresponsible.
So the best strategy is…
- Understand passwords requirements (or authentication methods in general) are going to change over time.
- Follow the prevailing advice on authentication methods… and maybe add some personal flair so your methods aren’t exactly the same as everyone else’s.
- Pick passwords that have some amount of complexity (i.e. higher entropy).
- Follow this simple rule, using longer passwords means you can change your passwords less often, shorter passwords means you will have to change much more frequently. But as a rule, you must change them at some point, hopefully on a regular basis.
- Where you can, use 2-factor or multi-factor options.
What really seals the deal on decent passwords is 2-factor authentication (aka 2FA). You should still periodically change your passwords even with 2 factor, but with it, you have significant leeway on how often and when. If anything, 2FA should appeal to the laziest people.
Of course, this is a complex topic, authentication in general that is. There are many other discussions and arguments that can be made here surrounding it. Suffice it to say, this information above is not wrong, although it may be open to interpretation. That being said, it’s still, presently, sound advice.