There has been some re-thinking among security experts over what constitutes a good password and how often — if ever — you should change your passwords. Even the word “password” is being morphed into “passphrase.”
Experts have always agreed that it’s a bad idea to use a simple password like “password” or the name of your dog, and that you should avoid using the same password on multiple sites. Simple passwords – especially dictionary words – are easy for hackers and machines to guess and if you use the same password on different sites, a hack of one site could make all your other sites vulnerable.
There is also a long-held consensus that longer is better. Many sites require your password to be at least 8 characters long, but now many experts are saying it should be much longer.
Most experts also agree that it’s a good idea to include symbols along with at least one or two uppercase letters and a number or two. But, the FBI’s Oregon Field Office recently posted advice that suggests you use a passphrase instead of a password. Though their advice didn’t say that you should necessarily include symbols or numbers, I still think that’s generally a good idea.
Those smart enough to avoid simple passwords would often come up with complex ones but those can be hard to remember and, unless they’re long, they’re not necessarily as secure as you might hope. The current thinking from government security experts is that length is more important than complexity.
There was a time when people were advised to change their passwords every 6 or so months but, if you follow the advice below, the common consensus is that you don’t need to do that unless one of your sites was breached.
The Oregon FBI’s examples (please don’t use these verbatim) include a phrase such as “VoicesProtected2020WeAre” or “even better,” a passphrase that combines multiple unrelated words, such as “DirectorMonthLearnTruck.”
One thing they didn’t say was how you might vary this passphrase so that you could use a version of it on multiple sites. My recommendation is to add a string of characters that are unique to each site or app. I won’t suggest examples but figure out a way to scramble the spelling of the name of the (or a portion of it) to add to the passphrase so that if a person or machine does get one of your passphrases, they can’t get into all of your accounts.
The FBI’s suggestions are based on advice from the National Institute of Standards and Technology (NIST), which in a long and rather technical post, aimed at people who develop password verification schemes, outlined some of the concerns with previous password recommendations.
For example, it’s long been assumed that your passwords be complex and hard to guess. While being hard to guess is a good recommendation, a single password that is hard to guess might also be hard to remember, or, if it contains special characters, might be rejected by some sites “Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters,” said the report.
The rejection of some special characters is a pet peeve of mine. I use a certain symbol in some of my passwords and – while most sites accept that symbol — there is one I use that doesn’t. Many sites don’t accept spaces which would make sense to use in a phrase, though I don’t have much problem simply using the words in the phrase and leaving out the spaces.
Advice for site operators
Both NIST and the FBI have advice for site and app operators, urging them to accept longer passphrases with whatever characters the user wants to include.
NIST rather firmly recommends that verification systems “SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length. Verifiers SHOULD permit subscriber-chosen memorized secrets at least 64 characters in length. And, based on NIST’s recommendations, the Oregon FBI suggests that site and app operators require everyone to use longer passwords or passphrases of 15 or more characters without requiring uppercase, lowercase, or special characters. NIST also suggests that operators only require password changes when there’s a reason to believe their network has been compromised. They advise that services “don’t lock a user’s account after a certain number of incorrect login attempts and that they don’t allow password hints. This advice is all new and at least partially contrary to the way most sites currently operate.
Other forms of protection
In addition to strong, long and unique passphrases, another protection is dual-factor authentication such as having to enter a code sent to your phone via SMS (or email in some cases) if you try to access a site from a device or browser that you haven’t used before. This isn’t perfect, but it does offer protection if someone else tries to get into your account because, chances are, they won’t have access to your device or email to be able to retrieve that code. Many financial institutions require you to use dual factor authentication and many sites and apps, including those operated by Google, Facebook, Twitter, Apple and Microsoft, make it optional.
Another tool is a password manager like LastPass or RoboForm, which store your passwords and enter them for you. I use one and think they’re great. But as the Oregon FBI points out “The downside of using a password keeper program is that if an attacker cracks your vault password, then he or she knows all of your passwords for all of your accounts.” Still, the FBI points out that “many IT professionals agree, the benefit of a password keeper program far outweighs this risk,” If you use a password manager, make sure that it has a very secure passphrase that you can remember.
Perhaps the best level of protection, though not necessarily convenient in all cases, is a physical key such as the YubiKey from Yubico. This is a small device that you can put on a keychain and insert into the USB port of a computer or data/charging port of a phone to verify your identity. Not all sites and apps work with Yubiko but a growing number do. Keys vary in price depending on the device they’re used for, ranging between $20 and $69.
Finally, consider biometrics. Many phones and computers allow you to use a fingerprint or facial recognition to access your device along with an optional password or PIN. Most Windows computers, for example, have built-in cameras that can recognize your face. While no form of protection is foolproof, biometrics are quite secure and, usually, very convenient. There are times when my Windows PC fails to recognize my face, so I type in my PIN # or password, but for the most part, it knows who I am and welcomes me in when I smile at the camera.