Advertisement

Researchers find a new way to avoid 'password rage'

 
iStockphoto
iStockphoto
Published Aug. 21, 2016

People tend to hate computer passwords, that often nonsensical jumble of letters, numbers and special keystrokes said to be essential for digital security. The secret codes seem impossible to remember. It's why every login page has a "Forgot password?" life preserver. The struggle even has a name: password rage.

Now a new standard is emerging for passwords, backed by a growing number of businesses and government agencies — to the relief of computer users everywhere. No longer must passwords be changed so often, or include an incomprehensible string of special characters. The new direction is one that champions less complexity in favor of length.

Passwords that once looked like "W5hPo5t!" can now be "mycatlikesreadinggarfieldinthewashingtonpost."

Requiring longer passwords, known as passphrases, usually 16 to 64 characters long, is increasingly seen as a potential escape route from our painful push toward logins that only a cryptographer could love.

A series of studies from Carnegie Mellon University confirmed that passphrases are just as good at online security because hacking programs are thrown off by length nearly as easily as randomness. To a computer, poetry or simple sentences can be just as hard to crack. Even better: People are less likely to forget them.

"You're definitely seeing more of it," said Michelle Mazurek, one of the Carnegie Mellon researchers, now at the University of Maryland, College Park. "For equivalent amounts of security, longer tends to be more useful for people."

One sign of change came this year from the federal agency overseeing government computer policy. The National Institute for Standards and Technology issued draft recommendations that called for a password overhaul — encouraging longer passwords and ending the practice of forcing new ones every 60 or 90 days.

"Passphrases are much harder to crack and break, and much easier to remember," said Paul Grassi, senior adviser at the National Institute of Standards and Technology.

It was an acknowledgment that current password practices are a pain.

Passwords today are "completely unusable," Grassi said. "Users forget, which creates all sorts of cybersecurity problems, like writing it down or reusing them."

The average person has 19 to 25 different online passwords, polls have shown.

Guillaume Ross, senior consultant at computer security firm Rapid7, said businesses are often forced to slow adoption of new password policies because of legacy computers.

"On those systems it's really hard for a security group to support long passwords," Ross said.

Still, Ross tells clients to focus on password length for beefing up security rather than any other variable.

Joe Hall, chief technologist at think tank Center for Democracy and Technology, has been a fan of passphrases for years.

"I tell people to think of a sentence that is shocking and unpredictable, even nonsensical," he said.

One example: "The spherical brown fox jumped into the Russian Bundestag."

A friend of his likes to use pet peeves as his passwords, such as the malapropism "all intensive purposes."

Of course, most experts say passwords of any kind are outdated. Many have been pushing two-factor verification, where users have to prove their identity by entering a code sent to their email address or cellphone number. This standard is being more quickly adopted than passphrases.

In the meantime, experts caution against using popular song lyrics or poetry lines in passphrases. So no Beyoncé or Wallace Stevens. Hackers can download libraries of information to try common phrases. Mazurek suggested typing in your passphrase into a Google search bar and seeing if the search engine can autocomplete it — signifying that it's a common phrase.