You can read more about that groundbreaking process here.Īmong the huge number of things we wanted to do with the update was to give people guidance that would help them come up with passwords that were easy for them to remember, but hard for attackers to compromise. This summer, after a lengthy process with continual collaboration from government and industry, NIST released an update to Special Publication (SP) 800-63 to address the many changes that digital identity has undergone during that document's decade of existence. In practice, all those rules had made it easier for the bad guy, and harder-and less secure-for the user. Like pounding out more and more miles faster and faster, these looked like gains on paper but undermined the outcome we wanted: a safer and more convenient online experience.Īs this XKCD comic points out, complex password rules actually drive us to create predictable, easy-to-guess passwords (“password1!” anybody?) or find other ways to make things easier on ourselves, e.g., reusing passwords across sites or saving them in spreadsheets or sticky notes. Over the years, our reliance on passwords, and the ease with which our adversaries can defeat those passwords, resulted in a negative feedback loop where users were subjected to increasingly complex, stressful and exhausting composition rules (upper, lower, and special characters, oh my!), increasing length requirements, password rotation requirements, and on and on. This may seem like a forced analogy, but that is the basic approach to change NIST took in rewriting its password guidance. I broke the cycle by having the way I function drive my training, and the results were unambiguously positive. Soon after, I was running longer, faster, more consistently, and with fewer injuries. I changed the cycle to let my emotional and physical conditions dictate my running, not the other way around. Running was supposed to build me up, body and spirit, but I was in a cycle that was tearing both down. Running slower meant more time would pass, so it would get even hotter, so I'd cut off a mile, but doing that made me disappointed in myself, which added to my stress and ended up making me even more exhausted.Īfter a while, I finally realized I wasn't helping myself. Because I was starting later in the morning, it would be hotter, so I'd run a little slower. When I woke up, I’d be exhausted, so I'd sleep in a half hour. I was under a lot of stress, so I had trouble sleeping. A few years ago, I found myself in a really bad rut. And if you do, don't rely on passwords, or even passphrases, alone. Then, I'm going to explain the absolute most important thing to know about passwords: Try not to use them at all. Simply put: Use passphrases, not passwords. This year, I'm focusing on making logging into your accounts easier.įirst, I'm going to share the takeaways from our new password guidance. Last year I provided a number of simple steps to lower the risk to your online presence without making your life harder.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |