Tech Talk iconTech Talk

A photo illustration shows two hands resting on a keyboard of a laptop computer with the words "turtle box super liquor" written on the screen as one example of a password.

Q&A: NIST's Paul Grassi on What Makes a Strong Password

Let’s all agree that passwords are one of the worst parts about being online. They’re hard to remember and annoying to recover. Once you come up with a good one, it expires immediately. If you’re like many people, you just gave up and now use the same password for every site, or write them all down somewhere. 

In June, the U.S. National Institute of Standards and Technology updated its Digital Identity Guidelines with best practices for how federal agencies should identify users on websites and handle personal data. The guidelines include new recommendations about passwords that could finally resolve some of these common frustrations.

In the past, the agency had said it’s best to select a mix of uppercase and lowercase letters, numbers, and special characters. Those bizarre combinations soon became the norm across government agencies and the tech industry. Now, NIST says agencies should allow users to come up with much longer passwords—at least 64 characters in length—without requiring any special characters.

This would allow users to choose a string of easy-to-remember words with spaces in between—such as “turtle box super liquor”—instead of something like X30UnMx$#. NIST also says users should be able to keep a password forever, with no expiration date.  

Paul Grassi, senior standards and technology advisor for NIST and the author of the new guidelines, explains the agency’s new thinking about the problem of passwords.

This interview has been edited and condensed for clarity.

IEEE Spectrum: How are the Digital Identity Guidelines meant to be used?

Paul Grassi: They’re specifically designed to only be for federal agencies, specifically civilian and non-national security, targeted only at our federal stakeholders. That said, we expect and hope the private sector will actually deliver the solutions these guidelines discuss, so we very much have the private sector in mind.

IEEE Spectrum: How did you figure out what the newest guidelines should say about password security?

Paul Grassi: We make sure we evaluate [our guidelines] on a regular basis to make sure they’re current and not lagging behind threats in the market. This one was a long time coming for a lot of reasons. We had an RFI process, asking the private and public sector what they thought was missing, and then we basically opened up an open-source version of the document on GitHub where we were collaborating amongst ourselves and anybody who wanted to contribute. We certainly learned a lot about what modern research was telling us about some of the flaws in the guidelines.

IEEE Spectrum: Can you explain the concept of password entropy?

Paul Grassi: A password’s entropy means how difficult it is to guess, how random it is, and what would be the length of time for a brute force attack to be able to break it. The longer the password, typically the more entropy there is, which is why we’ve changed our guidelines to allow for longer passwords that are easier to remember rather than shorter passwords that are easy to forget.

IEEE Spectrum: You emphasize usability in the new guidelines. Why is it important to think about usability of passwords?  

Paul Grassi: I’m of the mindset that poor usability tends to create workarounds that are insecure. We’ve seen it across the board. In the case of passwords, humans are really bad at randomizing passwords. Where a highly randomized one can reach high entropy, non-randomized ones do not. Users were substituting special characters that look like regular characters, an @ sign instead of an “a.” What we were hoping were truly random, difficult passwords were actually not because of those workarounds.

IEEE Spectrum: What else did you learn from new research about passwords and incorporate into these guidelines?  

Paul Grassi: The other update about passwords is—don’t expire them. Expiration isn’t a motivator to create a brand new password, it’s motivation to shift one character so you can remember the password. If you’re like me, and most people are, they’re following some keyboard progression they know, with moving one character up and one down. So all those workarounds created insecure passwords.

IEEE Spectrum: So if I want to keep a password for the rest of my life, I should be able to do that?

Paul Grassi: Absolutely. If your password hasn’t been breached, then why would you change it? If a password file has been broken by a bad guy and you’re going to change it by one digit, they’re going to know that. The expiration date doesn’t make a whole heck of a lot of sense in that paradigm.

In the big scheme of things, passwords are only allowable in our guidelines for low-risk applications. In most cases, multi-factor authentication is required anyway. Your password, if it’s used in a multi-factor scheme, is one piece of the puzzle and the impact of a breach in a single-factor scheme should not be significant because it’s for a low-risk application.

IEEE Spectrum: Do you have suggestions about what users can do to better manage their passwords?

Paul Grassi: The best practice is to have a different password for every site. That’s going to be impossible to remember. So segmentation is helpful—use one password for financial services, use one password for social media. Use one password for email and don’t use it anywhere else, because email is still the recovery method of choice for most sites. We also advocate multi-factor authentication whenever it’s available.

IEEE Spectrum: Aside from passwords, what else do the Digital Identity Guidelines cover?

Paul Grassi: We’ve spent a lot of time writing privacy requirements. We want agencies to absolutely undercollect, not overcollect. We want their default to be, if I need somebody’s age, can I just ask that question, rather than require the user to provide their full date of birth? So privacy is a big focus.

It’s not up to us to require specific architecture, but we certainly encourage [agencies] to federate. Identity is costly and we see cost savings if every agency does not individually identity-proof a user. If it can be done once or twice, and used across the government, that’s a good thing.

IEEE Spectrum: Your guidelines address biometric security. How close are we to living in a world without passwords?

Paul Grassi: Passwords may be there for the foreseeable future. Even though there’s innovation allowing for a passwordless experience, you have to have the technology to be able to do it, and not everybody has it or wants it. This is the tough part. Some folks may just not want to keep up with innovation and we have to have a solution that works for them, too. Passwords aren’t going anywhere.

illustration depicts methods of hacking 3d printers and three methods of verifying that printed parts have not been compromised by hacking

Defending 3D Printers From Hackers

3D printers will become attractive targets for cyberattacks because 3D-printed objects and parts are finding more and more use in critical infrastructures around the world, such as in healthcare, transportation, robotics, aviation, and space, researchers say.

In response to the threat, a trio of techniques to monitor 3D printers for cyberattacks is revealed in a new study from researchers at Rutgers University and the Georgia Institute of Technology.

3D-printing is increasingly playing a part in situations where lives may be at stake, medical prostheses or car parts, for example. However, there is currently no standard way to verify that the 3D-printed parts were made accurately, the researchers say.

“3D printing will be used for manufacturing almost everything: artificial organs, homes, buildings, and even aircraft parts,” says study co-author Mehdi Javanmard, an electrical engineer at Rutgers University in New Jersey. “With wireless connectivity of controllers, unknown and undetectable cyber-physical attacks can result in devastating effects without any way to trace the attacks.”

Read More
Computer Aided Magic Tricks

AI Helps Magicians Perform Mind-Reading Tricks

You are presented with two decks, one with images and the other with words. The magician shuffles and distributes the decks into piles of four cards. You get to choose two piles, one from the word deck and one from the image deck, to make a hand of eight cards. Then you’re invited to pick a word card and and an image card from your hand. Once you’ve selected a pair, you watch the magician reveal a previously written prediction about the cards you’ve chosen. The prediction is correct!

That kind of “mind-reading” magic trick could benefit from new AI computer algorithms. These algorithms are designed to exploit human psychology and help magicians choose the best card combinations.

Read More
A photo illustration shows a side profile of U.S. President Donald Trump surrounded by black and yellow nuclear warheads on a red background

Commentary: Trump, Engineering Advisers, and the North Korea Crisis

Someone ought to explain to Donald Trump that modernization of America’s nuclear arsenal, which he bragged about yesterday when issuing fiery threats of doom against North Korea, hasn’t happened yet.

As we explained in our Spectral Lines column in the August issue of IEEE Spectrum, thanks to the Obama administration, the U.S. is in the early stages of improving the operational reliability of its force of more than 4,000 nuclear weapons, which can be launched by missiles, planes, and submarines. 

Read More
A person's hands are seen typing on a laptop computer next to a screen and various cables on a long desk.

DEFCON Hackers Found Many Holes in Voting Machines and Poll Systems

E-voting machines and voter registration systems used widely in the United States and other countries’ elections can readily be hacked—in some cases with less than two hours’ work. This conclusion emerged from a three-day-long hackathon at the Def Con security conference in Las Vegas last weekend. Some of those hacks could potentially leave no trace, undercutting the assurances of election officials and voting machine companies who claim that virtually unhackable election systems are in place. 

Def Con, an annual computer hacking conference celebrating its 25th year, hosted its first Voting Machine Hacking Village this year. In it, conference attendees were given access to many of the most popular voting machines and voter registration tracking systems in use around the world today. And before the Hacking Village organizers were even finished with their opening morning introductory remarks, a Danish hacker in the audience had already broken into one of the target machines wirelessly.

Soon after on the same morning, a second group in the room wirelessly hacked into a popular electronic poll book system, responsible for storing and maintaining voter registration information. In total, the inaugural e-voting hackathon turned up at least 18 new vulnerabilities to e-voting and e-poll book systems. (This may be a conservative estimate, as the hacks discovered at the Village are now being verified and studied before they’ll be compiled and counted as legitimate new hacks.)

Read More
Hyperloop tube on a platform in the desert

Musk Claims "Verbal" Approval for a Hyperloop Tunnel From New York to D.C.

Elon Musk today tweeted that he has verbal approval from unnamed governmental officials to build a Hyperloop tunnel from New York City to Washington, D.C., adding that this would allow for a trip of 29 minutes.

The tunnel would be dug by Musk’s appropriately named firm, The Boring Company, and it would make stops in Philadelphia and Baltimore. That’s pretty much a straight line, and it comes to around 360 kilometers (225 miles), implying an average speed of about 720 kph (450 mph).

Just received verbal govt approval for The Boring Company to build an underground NY-Phil-Balt-DC Hyperloop. NY-DC in 29 mins.

— Elon Musk (@elonmusk) July 20, 2017

City center to city center in each case, with up to a dozen or more entry/exit elevators in each city

— Elon Musk (@elonmusk) July 20, 2017

Still a lot of work needed to receive formal approval, but am optimistic that will occur rapidly

— Elon Musk (@elonmusk) July 20, 2017

Read More
Photograph of Prof. Dr. Karl Landsteiner, a string theorist at the Instituto de Fisica Teorica UAM/CSIC and co-author of the Gravitational Anomaly paper

Black Hole Power: How String Theory Idea Could Lead to New Thermal-Energy Harvesting Tech

A new class of exotic materials could find its way into next-generation technologies that efficiently convert waste heat into electrical current according to new research. Both the exotic materials and the means by which they generate electricity rely on a hybrid of advanced concepts—including string theory combined with black holes combined with cutting-edge condensed matter physics.

But the end result is straightforward: A strip of the material niobium phosphide (NbP), in the presence of strong magnetic fields, appears to be good at harvesting thermal energy and translating that into possibly usable current.

NbP represents a new class of material that’s neither metal nor semiconductor but a little bit of both, says Johannes Gooth, research scientist at IBM in Zurich. “Classically we have materials like metals, semiconductors, and insulators; this is the toolbox we use to make devices,” Gooth says. But Weyl semimetals, named after the physicist Hermann Weyl who first began to describe the strange physics these materials obey, are “exactly in the middle between metal and semiconductor. It has [conduction] bands, but they touch. The band gap is basically zero.”

Which means a Weyl semimetal like NbP occupies a sort of intermediate zone between true conductive metal and pure semiconductor. And as a material in no man’s land, bridging two different regimes of physical properties, it might also find applications no one has yet imagined, Gooth says.

Since their discovery in 2015, Weyl semimetals have been the subject of some curiosity and speculation. And this is for good reason, says Karl Landsteiner, a string theorist at the Instituto de Fisica Teorica UAM/CSIC in Madrid, Spain. He’s one of the co-authors, along with Gooth, of a letter in this week’s issue of Nature that reveals the discoveries they made about NbP.

Before collaborating on this latest study, Landsteiner had been studying the physical laws that quantum mechanics sometimes allows to be broken. And until recently he thought these violations happened in too rarified environments to be observed in the lab—let alone potentially finding their way into future generations of technologies.

“For me this is amazing,” Landsteiner says. “When we started working on these kinds of problems, we never thought there would be any practical way of doing this in the lab. We always thought about the beginning of the universe, very exotic states of matter heated up trillions of degrees. But now we find all our equations and everything we did applies equally to this exciting class of new materials.”

“For us, whenever we build transistors, we are always bound to conservation laws,” says IBM’s Gooth. “These define and limit everything. And now suddenly we have materials where these high-energy, quantum mechanics equations allow for us to break some of these laws. It opens up a completely new playground for device design. Because it’s simply new physics, which circumvents classical limits.”

The quantum equations Gooth references concern the sort of law-bending that quantum physics—with its uncertainty relations enabling mischief at the fringes at sub-atomic scales—has become known for. For instance, the flash memory at the heart of our smartphones and other portable electronics is based on quantum particles tunneling across barriers they wouldn’t be able to cross if the laws of classical physics always prevailed.

In this case, the quantum lawbreaking comes in via the currents of electrons traveling through a Weyl semimetal. According to standard, common sense, conservation laws, electrons should normally travel through a material in such a way that their number is conserved. That is, the number that goes in is the same number that comes out, minus any electrons that the material ate up as it passed through, plus any extra electrons the material itself gave off. (Unfortunately, there’s an additional complication here, though. Each electron’s spin adds a second ledger in the account books. So technically, two currents are conserved: The current with electron spins aligned in the direction of travel is conserved, and completely separately, the current with electron spins anti-aligned with their direction of travel is also conserved.)

The present discovery steals a page from string theory and black hole physics. Theorists in these disciplines have found quantum exceptions to conservation laws like the above. For instance, they’ve established that strong gravitational and magnetic fields together allow for sometimes breaking conservation of both kinds of currents—the kind where spin is parallel to travel direction and where spin is anti-parallel to travel direction.

And here is where Landsteiner presumed his and his colleagues’ work would remain untouched by practical applications. But thanks to work tracing back to the 1960s, a useful analogy has been developed over the years that gravitational fields sometimes behave strikingly similarly to thermal gradients. So when the string and black hole theory idea emerged that “gravitational” fields can bend the conservation laws of current in the presence of strong magnetic fields, Gooth realized he might be able to apply the thermal analogy.

Gooth thought he might try to mimic the same gravitational quantum anomaly with just a simple thermal gradient: In this case, a strip of Weyl semimetal (NbP) that’s really hot on one end and cool on the other. Put this Weyl semimetal inside a superconducting magnet, one that can generate strong (9 Tesla) fields sufficient to generate the quantum effect, and see if the thermal gradient can be converted into extra streams of electrons. In other words, use the above quantum trick to transform thermal energy into electrical current.

And it worked. Now Gooth and Landsteiner say they’ll be busy finding ways to tweak the recipe. Both practical applications like thermal energy harvesters and more fundamental physical research are in their sights now.

“You now can use physics from outer space to create new applications—it’s fantastic,” Gooth says. “It opens a new world.”

Says Subir Sachdev, a solid state physicist at Harvard unaffiliated with the discovery, this discovery opens a door to a new kind of material and a new approach to studying materials. “This experiment is an important step in a wider field of the study of ‘quantum materials,’ ” Sachdev said via email. “And I think advances here could have a strong impact on future developments in this wider field.”

Blind quantum computing in the cloud could keep computation results secret even for remote classical computer users

Even Ordinary Computer Users Could Access Secret Quantum Computing

You may not need a quantum computer of your own to securely use quantum computing in the future. For the first time, researchers have shown how even ordinary classical computer users could remotely access quantum computing resources online while keeping their quantum computations securely hidden from the quantum computer itself.

Read More
Two pictures of Barack Obama side-by-side

AI Creates Fake Obama

Artificial intelligence software could generate highly realistic fake videos of former president Barack Obama using existing audio and video clips of him, a new study [PDF] finds.

Such work could one day help generate digital models of a person for virtual reality or augmented reality applications, researchers say.

Computer scientists at the University of Washington previously revealed they could generate digital doppelgängers of anyone by analyzing images of them collected from the Internet, from celebrities such as Tom Hanks and Arnold Schwarzenegger to public figures such as George W. Bush and Barack Obama. Such work suggested it could one day be relatively easy to create such models of anybody, when there are untold numbers of digital photos of everyone on the Internet.

Read More

Tech Talk

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.

Newsletter Sign Up

Sign up for the Tech Alert newsletter and receive ground-breaking technology and science news from IEEE Spectrum every Thursday.

Load More