Passwords that once looked like this: W@5hPo5t!, can now be this: mycatlikesreadinggarfieldinthewashingtonpost.
Requiring longer passwords, known as passphrases, usually 16 to 64 characters long, is increasingly seen as a potential escape route from our painful push toward logins that only a cryptographer could love.
A series of studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness. To a computer, poetry or simple sentences can be just as hard to crack. Even better: People are less likely to forget them.
“You’re definitely seeing more of it,” said Michelle Mazurek, one of the Carnegie Mellon researchers, now at the University of Maryland College Park. “For equivalent amounts of security, longer tends to be more useful for people.”
One sign of change came this year from the federal agency overseeing government computer policy. The National Institute for Standards and Technology issued draft recommendations that called for a password overhaul — encouraging longer passwords and ending the practice of forcing new ones every 60 or 90 days.
“Passphrases are much harder to crack and break, and much easier to remember,” said Paul Grassi, a NIST senior adviser.
It was an acknowledgment that current password practices are a pain.
Passwords today are “completely unusable,” Grassi said. “Users forget, which creates all sorts of cybersecurity problems, like writing it down or reusing them.”
The demand for simpler passwords has grown along with the share of time spent online, where hard-to-recall codes restrict access not only to work and school email, but shopping, playing games, managing health claims and finding recipes. The average person has 19 to 25 different online passwords, polls have shown.
But the change to simpler password protocols remains slow. When Lorrie Cranor joined the Federal Trade Commission as chief technologist in January, she was stunned to learn that six of her government passwords came with automatic expirations. A couple months later, she had whittled that list down to four.
Cranor said NIST’s draft rules send a signal to agencies and companies that the revamped password guidelines have the blessing of the federal government.
“One of the things we’ve seen when we talk to companies is they say, ‘Well, this is all good,’ but I can’t change things until I have something I can point to,” Cranor said.
Now, they can point to NIST special publication 800-63, which still needs final approval.
The government’s move was applauded by privacy advocates such as Christopher Soghoian at the American Civil Liberties Union.
“The fact that NIST is clearly coming around to embracing modern, science-based policies is great,” Soghoian said.
It’s possible the government could be the nimbler mover on this topic.
Guillaume Ross, senior consultant at computer security firm Rapid7, said businesses are often forced to slow adoption of new password policies because of legacy computers.
“On those systems it’s really hard for a security group to support long passwords,” Ross said.
Still, Ross tells clients to focus on password length for beefing up security rather than any other variable.
Joe Hall, chief technologist at think tank Center for Democracy and Technology, has noticed easier password rules among the 800 different logins he uses. (He admits he’s an outlier having so many accounts. But, he says, that’s part of his job.) In recent years, he has seen more sites allowing 16 character if not longer passwords. Fewer are requiring regular resets.
“This is part of a big push to make things more usable for humans,” Hall said.
Like many computer experts, Hall has been a fan of passphrases for years.
“I tell people to think of a sentence that is shocking and unpredictable, even nonsensical,” he said.
One example: “The spherical brown fox jumped into the Russian Bundestag.”
A friend of his likes to use pet peeves as his passwords, such as the malapropism “all intensive purposes.”
Of course, most experts say passwords of any kind are outdated. Many have been pushing two-factor verification, where users have to prove their identity by entering a code sent to their email address or cellphone number. This standard is being more quickly adopted than passphrases.
In the meantime, experts caution against using popular song lyrics or poetry lines in passphrases. So no Beyoncé or Wallace Stevens. Hackers can download libraries of information to try common phrases. Mazurek suggested typing in your passphrase into a Google search bar and seeing if the search engine can auto-complete it — signifying that it’s a common phrase.
Rich Shay, another Carnegie Mellon researcher, said the studies grew out of experiences on campus: School email passwords had to be eight characters long and include one uppercase letter, one lowercase letter, a special character and a number.
The researchers figured there had to be a better way.
Still, the studies showed that even with passphrases throwing in a little complexity — a number, a special character — could only help.
“There is no magic bullet,” said Shay, now at MIT. “There is no perfect password.”
And that’s something everyone already knows.