Q&A: NIST’s Paul Grassi on What Makes a Strong Password
Let’s all agree that passwords are one of the worst parts about being online. They’re hard to remember and annoying to recover. Once you come up with a good one, it expires immediately. If you’re like many people, you just gave up and now use the same password for every site, or write them all down somewhere.
In June, the U.S. National Institute of Standards and Technology updated its Digital Identity Guidelines with best practices for how federal agencies should identify users on websites and handle personal data. The guidelines include new recommendations about passwords that could finally resolve some of these common frustrations.
In the past, the agency had said it’s best to select a mix of uppercase and lowercase letters, numbers, and special characters. Those bizarre combinations soon became the norm across government agencies and the tech industry. Now, NIST says agencies should allow users to come up with much longer passwords—at least 64 characters in length—without requiring any special characters.
This would allow users to choose a string of easy-to-remember words with spaces in between—such as “turtle box super liquor”—instead of something like X30UnMx$#. NIST also says users should be able to keep a password forever, with no expiration date.
Paul Grassi, senior standards and technology advisor for NIST and the author of the new guidelines, explains the agency’s new thinking about the problem of passwords.
This interview has been edited and condensed for clarity.
IEEE Spectrum: How are the Digital Identity Guidelines meant to be used?
Paul Grassi: They’re specifically designed to only be for federal agencies, specifically civilian and non-national security, targeted only at our federal stakeholders. That said, we expect and hope the private sector will actually deliver the solutions these guidelines discuss, so we very much have the private sector in mind.
IEEE Spectrum: How did you figure out what the newest guidelines should say about password security?
Paul Grassi: We make sure we evaluate [our guidelines] on a regular basis to make sure they’re current and not lagging behind threats in the market. This one was a long time coming for a lot of reasons. We had an RFI process, asking the private and public sector what they thought was missing, and then we basically opened up an open-source version of the document on GitHub where we were collaborating amongst ourselves and anybody who wanted to contribute. We certainly learned a lot about what modern research was telling us about some of the flaws in the guidelines.
IEEE Spectrum: Can you explain the concept of password entropy?
Paul Grassi: A password’s entropy means how difficult it is to guess, how random it is, and what would be the length of time for a brute force attack to be able to break it. The longer the password, typically the more entropy there is, which is why we’ve changed our guidelines to allow for longer passwords that are easier to remember rather than shorter passwords that are easy to forget.
IEEE Spectrum: You emphasize usability in the new guidelines. Why is it important to think about usability of passwords?
Paul Grassi: I’m of the mindset that poor usability tends to create workarounds that are insecure. We’ve seen it across the board. In the case of passwords, humans are really bad at randomizing passwords. Where a highly randomized one can reach high entropy, non-randomized ones do not. Users were substituting special characters that look like regular characters, an @ sign instead of an “a.” What we were hoping were truly random, difficult passwords were actually not because of those workarounds.
IEEE Spectrum: What else did you learn from new research about passwords and incorporate into these guidelines?
Paul Grassi: The other update about passwords is—don’t expire them. Expiration isn’t a motivator to create a brand new password, it’s motivation to shift one character so you can remember the password. If you’re like me, and most people are, they’re following some keyboard progression they know, with moving one character up and one down. So all those workarounds created insecure passwords.
IEEE Spectrum: So if I want to keep a password for the rest of my life, I should be able to do that?
Paul Grassi: Absolutely. If your password hasn’t been breached, then why would you change it? If a password file has been broken by a bad guy and you’re going to change it by one digit, they’re going to know that. The expiration date doesn’t make a whole heck of a lot of sense in that paradigm.
In the big scheme of things, passwords are only allowable in our guidelines for low-risk applications. In most cases, multi-factor authentication is required anyway. Your password, if it’s used in a multi-factor scheme, is one piece of the puzzle and the impact of a breach in a single-factor scheme should not be significant because it’s for a low-risk application.
IEEE Spectrum: Do you have suggestions about what users can do to better manage their passwords?
Paul Grassi: The best practice is to have a different password for every site. That’s going to be impossible to remember. So segmentation is helpful—use one password for financial services, use one password for social media. Use one password for email and don’t use it anywhere else, because email is still the recovery method of choice for most sites. We also advocate multi-factor authentication whenever it’s available.
IEEE Spectrum: Aside from passwords, what else do the Digital Identity Guidelines cover?
Paul Grassi: We’ve spent a lot of time writing privacy requirements. We want agencies to absolutely undercollect, not overcollect. We want their default to be, if I need somebody’s age, can I just ask that question, rather than require the user to provide their full date of birth? So privacy is a big focus.
It’s not up to us to require specific architecture, but we certainly encourage [agencies] to federate. Identity is costly and we see cost savings if every agency does not individually identity-proof a user. If it can be done once or twice, and used across the government, that’s a good thing.
IEEE Spectrum: Your guidelines address biometric security. How close are we to living in a world without passwords?
Paul Grassi: Passwords may be there for the foreseeable future. Even though there’s innovation allowing for a passwordless experience, you have to have the technology to be able to do it, and not everybody has it or wants it. This is the tough part. Some folks may just not want to keep up with innovation and we have to have a solution that works for them, too. Passwords aren’t going anywhere.