Thursday, September 7, 2017

Passwords Are Now Passé

Logging in to a computer system generally requires a username and a "memorized secret." Most people refer to this "memorized secret" as a password. If you are using a password, may I suggest ditching the password and instead using a passphrase in its place?

Federal NIST (National Institute of Standards and Technology) guidelines that cover computer and systems authentication have been recently revised and the use of complex passwords is no longer recommended. Digital Identity Guidelines now recommend the use of passphrases to authenticate to computer and electronic systems instead of passwords. A passphrase is the use of a group of words, preferably chosen at random, used to authenticate to a computer-based system. Here is an example of both a complex password and a passphrase:

A complex password: St48761!

A passphrase: special holding compound

Why the change?

Complex passwords are sometimes difficult for us to remember. Consequently, they may end up written on paper or stored in an insecure way. Different complexity requirements for different computer and electronic systems may require us to remember multiple complex passwords. Again, we end up writing them down or storing them in an insecure way.

Complex passwords are sometimes created by changing common characters and rendering them less secure than we might think. These passwords could be subject to a system “dictionary attack” that accounts for common letter substitutions. One example of a complex password that is not very secure is Passw0rd!

While not every system we work with will currently support the new federal recommendations (i.e., Apple IDs), your Barrington 220 network account will support their use, as will the Google G Suite system.

To revise a Barrington 220 network “memorized secret” (your password), click here.

To revise your Barrington 220 Google account password, follow these directions.

When creating your passphrase, make sure that your passphrase is a minimum of 8 characters in length. Use random words strung together, not a common phrase. While a passphrase let the dog out is still stronger than many traditional complex passwords, the randomness of a passphrase such as interview garage focus is stronger against a potential system "dictionary attack" and is greatly preferred over common phrases found in books or everyday language.

For some interesting additional reading, check out the NIST Digital Identity Guidelines. A remark at the end of the document sums things up: "Length and complexity requirements beyond those recommended here significantly increase the difficulty of memorized secrets and increase user frustration."

No comments:

Post a Comment

Popular Recent Posts