Change is Coming
ITS strives to provide tools to keep information safe for you and the institution. In May of 2022, we will require all new passwords to be long passphrases. In September of 2022, we will begin to expire old passwords created before May 2022 and require that they meet the passphrase criteria described hereafter.
Entropy
For almost two decades, the conventional wisdom of password strength was based on many mathematical approaches to implied entropy. Entropy is based on the unpredictable nature of a system. The more entropy, the less likely you are to guess the outcome.
With people, this is less likely since entropy is based on an outcome that has yet to happen while people make plans to a specific end. This lowers the entropy in the system, making it more predictable.
What do we mean?
The Problem with Complex-8
When asked to make a password that is at least eight characters long and must contain an upper case, digit, and special character, typically, we will make every effort to meet the minimum length and do the following:
child’s name + birth year + ! spouse + year they met + ! pet’s name + 0 + !
We met the requirements while simultaneously guaranteeing a password that can be socially engineered.
The rules we were previously given do not protect us as we thought. The creator, Bill Burr, publicly apologized for the complexity of passwords and trying to remember them. As vividly explained by xkcd #936, we have successfully taught humans to create passwords that are impossible to remember and easy for computers to crack.
A Simpler, Better Approach
The current security models use passphrases. These are groups of unrelated words that are not easily guessable. The general thought is about 5-7 unrelated words.
The following guidelines are given:
- Length is at least 16 characters.
- No mandatory minimums (capital, digit, unique).
- No expiration, except in the case of password compromise.
- No reuse of old passwords.
- Do NOT use nicknames, birthdays, movie quotations, pets, song lyrics, etc.
ITS will provide tools to help make password selection easier.
References
British NCSC (National Cyber Security Centre) regarding general policy
US NIST (National Institute of Standards and Technology) regarding composition
US NIST Regarding complexity
SANS Institute – Password Expiration
SANS Institute – NIST Has Spoken
Published: Wed, 06 Apr 2022 12:05:08 +0000 by w.jojo