You log into your office PC or email account and a message pops up: it’s time to change your password (opens in new tab). Unless you use a free password manager (or even a paid password manager), you roll your eyes, change ‘c0mpanyN4me13’ to ‘c0mpanyN4me14’, are rewarded with a green tick, and go about your business.
Deep down you know it’s not good practice, but the rules enforced by many online services make it the only way to create passwords you’ll actually remember.
Many of these regulations derive from a set of recommendations published by the US National Institute of Standards and Technology (opens in new tab) (NIST) in 2003. They were intended to make users’ passwords harder to guess, but did so at the expense of user friendliness.
In an interview with the Wall Street Journal (opens in new tab), former NIST technology manager Bill Burr admitted he now regrets much of the advice the organization gave on creating strong logins.
At the time, he recommended picking combinations of characters that were as close to random as possible and changing them regularly, thereby making them harder to guess. That wasn’t totally beyond the realms of possibility 14 years ago, but now that we all rely on password-protected online services, remembering unique random logins for each one is simply impossible.
“Well it frustrates everybody, me included," Burr told CBS News (opens in new tab). “I have maybe 200 passwords. I can't remember all those, obviously.”
We're only human
Last month, NIST updated its guidelines for designers to make password authentication systems more user-friendly. The new recommendations include passwords that don’t expire arbitrarily, can be up to 64 characters long, and can include any printable characters, including spaces.
”It was surprising to see the news come up so quickly,” Steve Schult, senior director of product at LastPass (opens in new tab), told TechRadar. “We hadn’t expected the kind of coverage it got, but for the LastPass team, it was very much in line with what we’ve been educating our customers to do for years.”
LastPass is a password management tool that stores users’ login details in a secure vault protected by a master password. It can generate a unique, strong password for all of your accounts and complete login forms automatically, so you don’t need to remember them.
“We had a blog post – I think it was from 2013 – where we recommended using a long passphrase that would be easier to remember,” said Schult. “Humans are not good at remembering 64-character alphanumeric passwords, and the new guidelines completely fit with our previous recommendations.”
LastPass doesn’t plan to make any changes to its password manager in response to the new NIST guidelines, but Schult recommends that online service providers pay particular attention to the new advice on password length.
“I use hundred-character passwords with numbers, letters and special characters, and I don’t re-use passwords because I want them to be as secure as possible,“ he said. “There are a lot of sites that don’t support that, and we would recommend that they take a look at the new guidelines.“
The more, the merrier
For even better security, the new NIST guidelines recommend using multi-factor authentication for sensitive accounts. This means providing another form of verification, such as a code from a smartphone app, in addition to a regular password.
Android (opens in new tab) and iOS (opens in new tab) devices already support multi-factor authentication, as well as Facebook (opens in new tab), Twitter (opens in new tab) and Google (opens in new tab).
Schult echoes this advice. “With the proliferation of cloud services and devices since the original guidelines were written, password security will only take you so far. Two-factor authentication will stop security breaches in their tracks.”