Last week, The Washington Post ran an article about a new standard for passwords (with an accompanying video). The new standard is one that champions less complexity in favor of length.
Passwords that once looked like this: W@5hPo5t!, can now be this: mycatlikesreadinggarfieldinthewashingtonpost. Sure is easier to remember. Passphrases that are 14-64 characters long are being adopted by many businesses.
Studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness. To a computer, poetry or simple sentences can be just as hard to crack. And people are less likely to forget them - or to write them down.
The federal agency overseeing government computer policy is The National Institute for Standards and Technology (NIST). NIST issued recommendations in publication 800-63 (still a draft awaiting final approval) that called for a password overhaul — encouraging longer passwords and ending the practice of forcing new ones every 60 or 90 days.
Most experts (including my frequent co-presenters and authors Dave Ries and John Simek) believe passwords alone are outdated. We believe in multi-factor verification (two-factor at least), where users have to prove their identity by entering a code sent to their e-mail address or cellphone number. This standard is being more quickly adopted than passphrases.
Still, the studies showed that even with passphrases throwing in a little complexity — a number, a special character — could only help. We began using longer passphrases long ago - and using two-factor authentication whenever available. That is without doubt the current best practice.
E-mail: firstname.lastname@example.org Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology