AAMI News February 2018

Everything You Thought You Knew about Passwords is Wrong, Experts Say

PasswordsNIST now recommends using "passphrases" instead of "passwords."

A strong password includes a complicated mixture of capital and lowercase letters, numbers, and other special characters and should be changed every 90 days in order to outwit would-be hackers, right?


Researchers have found that “doing things like changing passwords regularly and adding in special characters really just doesn’t do much,” according to Robert Sayle, a technical solutions architect for Cisco Systems, Inc., in Irvine, CA, and a member of AAMI’s Wireless Strategy Task Force (WSTF).

Seemingly complex passwords are actually relatively easy for hackers and algorithms to crack and are no longer considered a best practice by the National Institute of Science and Technology (NIST), Sayle explained during a December town hall meeting hosted by the CE-IT Community, a partnership between AAMI, the American College of Clinical Engineering, and the Healthcare Information and Management Systems Society.

Using “the traditional guidance is actually producing passwords that are easy for bad guys and hard for legitimate users,” Paul Grassi, senior standards and technology adviser at NIST, told NPR. Grassi led the revision of the NIST password standard, Special Publication 800-63, which was published in June 2017.

Such passwords are difficult to remember, according to usability experts, often leading to sloppy security practices, especially when users are required to change them frequently.

“I’m pretty sure you’re not changing your entire password; you’re shifting one character,” Grassi said. “Everyone does that, and the bad guys know that.”

A New Way of Thinking

With a nod toward greater usability, NIST now recommends the use of long, memorable “passphrases” that do not have to be changed unless there has been a breach.

“It works because we are creating longer passwords that cryptographically are harder to break than the shorter ones, even with all those special character requirements,” Grassi said. “We are really bad at random passwords, so the longer the better.”

For example, a passphrase combining four common words, such as “correct horse battery staple,” would take 550 years to crack, according to cartoonist Randall Munroe, while the password “Tr0ub4dor&3” could be cracked in three days—calculations verified by computer security specialists.

The bottom line, according to Sayle: “Be smart about it. Don’t choose something that’s really simple, but you also don’t really need to get very complex about it.”

Using strong passwords is just one of the ways AAMI’s WSTF recommends to mitigate the risk of cyberattacks. See the complete list here.