Password nonsense

We have all been tortured, for some time, by passwords.

Your password must be complex, we’ve been told. It must not contain any easily guessed patterns, such as “password” or “qwerty” or “123456” (actually among the most common passwords).

In fact, when setting up a new account, we are chided to follow their password rules, for instance:

Your password has to be at least 8 characters long.

Must contain at least one lower case letter,

one upper case letter,

one digit.

and one of these special characters ~!@#$%^&*()_+

So we get clever and come up with something like “Pa$$word1” (which follows the rules but is nonetheless easily guessed).

We are also encouraged to use a different password for each of our accounts: banking, email, credit card, Facebook, etc.

The resulting burden, to create different passwords for each account, each one complex, to remember them, and to change them periodically is enormous. (Oh, and don’t write them down).

Computers were supposed to make our lives easier, what the heck happened?

You can thank our federal government, the National Institute of Standards and Technology (NIST), in particular. The above rules for creating a password are the result of a NIST recommendation in 2004. But the author of those recommendations, Bill Burr, has since apologized.

“In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Burr. It turns out that short, complicated, passwords are easier to crack than long, simple ones. Burr was not totally at fault. There had been very little research into password security to build on, so he had to make his best guesses. And he was wrong.

NIST has since reconsidered. In June of 2017, they issued a new set of recommendations that should make our password lives much easier. The major changes are:

1.       Remove the requirement to periodically change passwords. A good password will remain so over time.

2.       Replace the complexity requirement (upper case, lower case, number, special characters) with longer passwords, up to 64 characters, which may also include spaces.

3.       Require that the website or application requesting that you create a password screen it against a dictionary of known compromised passwords before accepting it.

These changes would make your passwords much easier to create and remember and provide much greater security than the prior recommendations. For instance, with the new regime, you could create a password like this:

“I like Facebook because I can see what my grandkids are up to”

This password, 61 characters in length, would pose an enormous challenge to a brute-force attack because of the large number of bits of information and all their possible permutations.

There is only one problem. Even though this new recommendation was made mid-last year, almost no websites have been upgraded to allow such passwords. They will not accept it and will insist on some nonsense like “jHr$o8cRt4,” which is actually much easier to crack because it contains far fewer bits of information.

Here is the good news. Computers are becoming far more powerful and are now capable of identifying us based on our fingerprints or even by scanning our face. The newer iPhones already do this. It is now possible to unlock a bank ATM door and initiate a withdrawal based only on your thumbprint. And this technology will rapidly improve and expand, eventually replacing the need for any password.

What is a poor, hungry hacker to do? Almost certainly, they will escalate phishing attacks. A good example is the email that appears completely authentic, apparently from your bank, asking you to click a link in order to confirm account status (or some such excuse). The website you are directed to also looks completely authentic, and when you log in, you have just given away your credentials. How to defend against this? Don’t click that link!

If you think the request might be legitimate, use your browser to go directly to your bank’s website and conduct whatever business that needs done.

Another, perhaps more dangerous attack, is socially engineered to make you trust the sender. Say that a hacker has compromised the system of a friend and now has access to your email address. They will then send an email to you, apparently coming from your friend, saying “hey, what a great article!” and giving you a link to click. Don’t click that link!

Even though the email looks like it came from your friend, that is easily spoofed. And, if you click that link, your system is now exposed to malware.

In this murky, dangerous, world, you must at all times remain skeptical.

And don’t click that link!