People tend to hate computer passwords, that often nonsensical jumble of letters, numbers and special keystrokes said to be essential for digital security. The secret codes seem impossible to remember. It’s why every login page has a “Forgot password?” life preserver. The struggle even has a name: Password rage.
Now, a new standard is emerging for passwords, backed by a growing number of businesses and government agencies — to the relief of computer users everywhere.
No longer must passwords be changed so often, or include an incomprehensible string of special characters. The new direction is one that champions less complexity in favor of length.
Passwords that once looked like this: “W@5hPo5t!,” can now be this: “mycatlikesreadinggarfieldinthewashingtonpost.”
Requiring longer passwords, known as passphrases, usually 16 to 64 characters long, is increasingly seen as a potential escape route from our painful push toward logins that only a cryptographer could love.
A series of studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness. To a computer, poetry or simple sentences can be just as hard to crack. Even better: People are less likely to forget them.
“You’re definitely seeing more of it,” said Michelle Mazurek, one of the Carnegie Mellon researchers, now at the University of Maryland College Park. “For equivalent amounts of security, longer tends to be more useful for people.”
One sign of change came this year from the federal agency overseeing government computer policy. The National Institute for Standards and Technology issued draft recommendations that called for a password overhaul — encouraging longer passwords and ending the practice of forcing new ones every 60 or 90 days.
“Passphrases are much harder to crack and break, and much easier to remember,” said Paul Grassi, a NIST senior adviser.
It was an acknowledgment that current password practices are a pain.
Passwords today are “completely unusable,” Grassi said. “Users forget, which creates all sorts of cybersecurity problems, like writing it down or reusing them.”
The demand for simpler passwords has grown along with the share of time spent online, where hard-to-recall codes restrict access not only to work and school email, but shopping, playing games, managing health claims and finding recipes. The average person has 19 to 25 different online passwords, polls have shown.
But the change to simpler password protocols remains slow. When Lorrie Cranor joined the Federal Trade Commission as chief technologist in January, she was stunned to learn that six of her government passwords came with automatic expirations.
A couple months later, she had whittled that list down to four.
Cranor said NIST’s draft rules send a signal to agencies and companies that the revamped password guidelines have the blessing of the federal government.
“One of the things we’ve seen when we talk to companies is they say, ‘Well, this is all good,’ but I can’t change things until I have something I can point to,” Cranor said.
Now, they can point to NIST special publication 800-63, which still needs final approval.
The government’s move was applauded by privacy advocates such as Christopher Soghoian at the American Civil Liberties Union.
“The fact that NIST is clearly coming around to embracing modern, science-based policies is great,” Soghoian said.
It’s possible the government could be the nimbler mover on this topic.
Guillaume Ross, senior consultant at computer security firm Rapid7, said businesses are often forced to slow adoption of new password policies because of legacy computers.
“On those systems it’s really hard for a security group to support long passwords,” Ross said.
Still, Ross tells clients to focus on password length for beefing up security rather than any other variable.