It’s time to rethink passwords – past time, really.
The way we’ve been thinking about internet passwords is all wrong and it’s time to seriously evolve the way we keep our online data world secure.
At least that’s what a U.S. government committee of nerds suggested March 31 when it issued a draft of new “digital identity guidelines.”
Passwords are, of course, the bane of most online denizens’ digital experience. But passwords – in some form or another – will be with us for many years to come and the stark increase in cyber threats and hacking makes security just about as large a question as we have online.
The committee suggesting this password evolution is from the National Institute of Standards and Technology, a division of the U.S. Department of Commerce, and makes recommendations to U.S. government agencies (and, therefore, tends to set industry standards) on, well, technology and its standards.
The short version of the committee’s draft recommendations on internet passwords suggests we stop making frequent changes to passwords, we should stop using passwords with combinations of capital letters, numbers and symbols and, of course – and for heaven’s sake – stop using common words like, “password,” or, “123456.”
Instead, the committee suggests, we should continue to expand our use of one- or two-step authentication as well as expand the use of digital cryptography to assure password security.
“Cryptographic authenticators used at (robust security levels) SHALL use approved cryptography,” the committee reports. “Software-based authenticators that operate within the context of a general purpose operating system MAY, where practical, attempt to detect compromise of the platform in which they are running (e.g., by malware) and SHOULD decline to operate when such a compromise is detected.”
The all caps are the committee’s emphasis.
“Communication between the claimant and channel (the primary channel in the case of an Out of Band authenticator) SHALL be via an authenticated protected channel to provide confidentiality of the authenticator output and resistance to (outside) attacks,” the committee reports.
What that means is: encrypt, encrypt, encrypt.
Further, suggests the committee, authentication of passwords should be repeated “at least” every 12 hours and/or when a user is away from the secured internet platform for more than 30 minutes.
This doesn’t mean users will have to authenticate passwords that often. It means the authentication should be done automatically, with encrypted and automated functions.
Finally, and for the best security possible, the committee suggests internet access to secure online platforms and functions should be tied to encrypted authentication “keys” with set protocols. The encrypted keys would, in theory, be so secure and so personal that no one could impersonate them.
The recommendations also suggest individual users should not even share these more strict and encrypted keys with any platform or service.
The report also suggests using “memorized secrets” for pass codes and other tools designed to keep the bad hats from guessing pass codes or passwords. And by this, we don’t believe the committee is suggesting answering a question like, “what was the name of your first pet?”