Passwords have been around since the 1960s. According to the Beyond Identity blog post, The history and future of passwords were originally used on university computers to enforce time limits on researchers accessing the computers. The first password hack occurred only two years later, in 1962 when one of those researchers printed the system’s password file so they could use someone else’s account to have more time on the computer.
Since then, people have been compromising passwords to access other people’s accounts. It seems like every year, the only protection that we get is an insane new set of complicated instructions like, “Your password must be 1 billion characters, an astrological sign and 17 words from a dead language” (just kidding). The Southern Maryland Chronicle’s article, New research: an average person has more passwords than an average pop song has words, reports that the average person has 70-80 passwords. Unless someone is using a password manager, it isn’t likely that they are memorizing 70 unique passwords. Instead, people tend to reuse passwords and write them down, making it easier for hackers to compromise accounts.
With these problems in mind, the National Institute of Standards and Technology (NIST) announced a few months ago that it would be updating its password policies, with some of the changes shocking many people in the security sector. These changes go against some of the principles we have been taught for years, like the longer and more complex a password is, the more secure the password is.
Below is a short list of some of the most radical changes proposed by NIST, retrieved from NIST Password Guidelines (netwrix.com):
- User-generated passwords should be at least 8 characters in length.
- All ASCII/Unicode characters should be allowed, including emojis and spaces.
- Prospective passwords should be compared against password breach databases and rejected if there’s a match.
- Passwords should not expire.
- Complexity requirements, i.e., requiring special characters, numbers, or uppercase letters, should not be used.
Wait?!?! What?!?! Passwords only need to be 8 characters in length, and we no longer need complexity requirements? How on earth can that possibly be secure? First, it’s important to remember that NIST recommends using a Multi-Factor Authentication solution so that a password isn’t the only thing protecting the account. Second, a simple password becomes very complicated by using salting and hashing techniques when storing a password. You can see this for yourself. Check out a salt and hash generator like this one here at Symbionts.
As a quick demo, I’ll demonstrate how the complexity of the password doesn’t really matter when using a salt and hash. For this demo, I’m using the SHA256 hashing algorithm on the Symbionts website referenced above.
- Demo 1: Using a salt of “salt” and setting the password to “password,” we can see that the generated hash comes out to: 13601bda4ea78e55a07b98866d2be6be0744e3866f13c00c811cab608a28f322. The weak password is made strong in this case by the salt and the hash.
- Demo 2: Using a salt of “salt” but changing the password to “5tgb6yhn&UJM*IK<” we can see that the generated hash comes out to: 7fde65be587a09cc640a491db950270cab26e869220a90a4fcd5f3c9d5bf9864. The more complex password does not generate a more complex hash string.
In conclusion, I’m happy that NIST is updating its password policies to reflect the changing technology in security. I believe that in the future, passwords will be extinct and replaced by pins, biometrics, zero-trust context analysis and other superior forms of authentication.