Be the leader in the new password-volution: memorized secrets

July 2, 2019 | Bob Covello
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

password revolution - young people revolting

Remember when you were younger, and you wanted to do something that all your friends were doing, yet you knew your parents would never approve?  Perhaps it was skating in that home-made “Half-Pipe”, or that time you wanted to try some equally dangerous stunt?

Of course, your parents disapproved, to which you probably responded with the time-honored refrain: “But everyone is doing it!”  That was never a convincing argument.  This probably added to the thrill, so you did it anyway (and you have the scars to prove it).

Do you ever wonder what would have happened if you were the first person to build that half-pipe?  Would the parental support have been different?  Would being the first be a special accomplishment?  Would others follow?

As with many “firsts”, sometimes it is better to be second, third, or even fourth, as the development of a new idea may sometimes be too new, or too daring.  Sometimes, it just needs the time to mature (remember MySpace, and its predecessor, Friendster?)

Here’s a “near-first” that you can try that poses no risks, and can increase your account security.  Be the first to extend your password beyond the required minimum. 

It has been over two full years since The National Institute of Standards and Technology (NIST) announced the replacement of the old password standards.  If you don’t recall, some of the sweeping changes included:

  • Allow at least 64 characters in length to support the use of passphrases. Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.
  • Do not impose other composition rules (e.g. mixtures of different character types) on memorized secrets.
  • Do not require that memorized secrets be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise.

Yes, NIST doesn’t even call them passwords anymore – they are “memorized secrets”.

Two years later, and sadly, many folks I know are still conforming to the same old password rules.  Why are we not bold enough to take the lead on this?  Your organization may require a minimum of 8 characters, but they probably do not restrict you to 8 characters.  Are you still using the minimum character length?

Now is the time to break free of the old password model and increase the length of your memorized secret.  It’s a password-volution!  The benefit that this serves is that when your organization finally adopts the NIST passphrase recommendation, you will be ahead of the curve.  Raise your Latte in triumph, you non-conformist hipster!

In all seriousness though, this new approach of long passphrases is going to happen quicker than you may imagine.  It is always better to become accustomed to a change before it is mandatory. Until the full NIST recommendation is adopted, we would still need to add uppercase and special characters to satisfy the old rule set, but that is always easy when a passphrase is being used. #EasyWhenUsingAPassphrase!  See what I mean?  That is a strong memorized secret!

Try it out, and be one of the first in your organization to adopt the new approach.  Get into this habit before everyone is doing it.

Here’s wishing you the best for your password future.

Bob Covello

About the Author: Bob Covello, Guest Blogger

Bob Covello (@BobCovello) is a 20-year technology veteran and InfoSec analyst with a passion for security topics. He is also a volunteer for various organizations focused on advocating for and advising others about staying safe and secure online.

Read more posts from Bob Covello ›

TAGS:

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial