The complexity of current passwords largely stems back to an eight page document authored by a manager in the National Institute of Standards and Technology – the document “NIST Special Publication 800-63. Appendix A” advised that “passwords should contain irregular capitalisation, special characters and at least one number” It also indicated that passwords should be changed regularly, at least every 90 days.
This advice changed slightly over the years, with it eventually landing on choose a word and then swap letters for numbers, add some digits to the end or the start and throw in a few special characters for good measure. All that we have done is made it hard for people to remember passwords and easy for computers to guess them
Whilst this advice was reasonable based on the computing power of the time, technology has marched on and passwords created using these techniques, such as “D1seng4g358!” (Disengage) can be cracked by brute force, on a standard desktop computer in about 3 days.
The author of what was considered the de-facto guide to passwords now says that he regrets the advice:
Both UK and US govermental guidance from the Centre for Protection of National Infrastructure (CPNI – UK) and the National Institute of Standards and Technology (NIST – US) have updated their guidance on password usage and they share the majority of recommendations.
One of the most recognisable departures from their previous guidelines is password expiry. Both organisations now recommend that passwords do not expire but that they are changed when there is evidence that account has been or may have been compromised.
There are several ways that passwords get exposed and compromised –
- Social Engineering – tricking users into devulging their passwords
- Manual Guesswork – Using information about the user to manually guess likely passwords
- Interception – Intercepting passwords that are sent in plain text by email or by post
- Stolen – A significant number of people use the same password in multiple places, if one of these is compromised (TalkTalk, Yahoo, AshleyMadison etc.) then their password can be retrieved
- Shoulder Surfing – As simple as someone looking over your shoulder (in person or via a camera) when you are entering your password
- Keyloggers – A hardware or software device that is attached or installed on your computer that stores every keystroke entered which is sent to a remote system or retrieved later
- Automated Guesswork – using a computer (or multiple computers) that guess passwords thousands of times per second.
- Searching – If a 3rd party has physical access to where a user works, they can often find clues to the users password, or even the password itself written down somewhere, often nearby.
Alternatively, your password doesn’t need to be compromised if you have chosen a weak password to begin with.