AUDIE CORNISH, HOST:
I'm Audie Cornish with this week's All Tech Considered.
(SOUNDBITE OF MUSIC)
CORNISH: Here's the received wisdom about passwords. Make them complicated. Use numbers and question marks and hash marks. Change them regularly. And use different passwords for each app and website. Of course you may end up like this.
CORNISH: Now, all this probably sounds familiar to our next guest, Paul Grassi, right?
PAUL GRASSI: Absolutely.
CORNISH: Paul works at the National Institute of Standards and Technology. He's here because they have issued new guidelines on crafting passwords altogether. How come?
GRASSI: What we found out now that we have 10, 15, 20 years of data is that the traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users.
CORNISH: So give us the bullet points for your new guidelines. What should we be doing instead?
GRASSI: The new guidelines are extremely counter-intuitive but, we believe based on the data that we have, flip the paradigm on its head. It makes passwords easy for users to remember and very hard for bad guys to break. The guidelines now say long passwords are good. Phrases are good. Spaces are good. Lowercase, just typical English words is good - no need for special composition rules, no need for lower, upper, number, characters like exclamation or at symbols. And don't expire them.
CORNISH: So I could have a password that is essentially, Paul Grassi, welcome to the studio.
GRASSI: You could, provided that you believe nobody would know that that's your password. We focused on, what tools can users use to remember these things? So if you can picture it in your head and no one else could, that's a good password.
CORNISH: This seems suspiciously easy. Why does it work?
GRASSI: It works because we're creating longer passwords that cryptographically are harder to break than the shorter ones even with all those special character requirements. We are really bad at random passwords, so the longer, the better.
CORNISH: How has the computer security industry received (laughter) this suggestion?
GRASSI: We are getting nothing but positive feedback. As a matter of fact, I'd be remiss if I took credit for this update. This is the result of a culmination of feedback from the private and public sectors.
CORNISH: For a long time, people were saying what you need actually is a password manager. So this is one program, kind of one password to rule them all. And no matter how many different websites and online stores and things you're using with various different passwords, this one vault, so to speak, would keep them all. Is that still in the guidance?
GRASSI: It absolutely is. We have requirements or recommendations that allow - we stopped short of endorsing them because we think this is a personal decision. But they certainly are supported in our guidelines and can be a good thing, especially because of the fact that what they're doing is completely randomizing the password.
CORNISH: So at the end of the day, you are here to free us from the tyranny of our IT departments and their incredible demands on our password selection.
GRASSI: We hope so. The old wisdom, even though it sounds like it should work because it's complicated and changing things, seems to make sense - we actually found that it does everything negative for usability and really not a whole heck of a lot for security, especially when you look at the paradigm of changing your passwords every 90 days. I'm pretty sure you're not changing your entire password. You're shifting one character.
GRASSI: Everyone does that.
CORNISH: You're on to me, Paul Grassi, is what you're saying (laughter).
GRASSI: Everyone does that, and the bad guys know that. So that is a really, really weak control from a security perspective.
CORNISH: Paul Grassi is senior standards and technology adviser at the National Institute of Standards and Technology. Thanks for coming in.
GRASSI: Thank you for having me.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.