Back in 2003, Bill Burr wrote the primer on password development. His definitive work recommended random characters, letters, numbers, caps, casing, etc. in a mishmosh that the user not only had to remember (or remember where they’d recorded it) but had to, per his ’03 recommendation, change each month into another nonsensical string of random characters and letters.
Burr now regrets these rules and says that he was wrong about them.
Back when he wrote the “rules” on the safest passwords, there simply wasn’t much data, and he says he ran into trouble trying to do his own research because no one wanted to tell him their password.
Times have changed, and despite new data that suggest a four-word phrase is harder to crack than a shorter string of gobbledygook, Burr’s paper was the definitive work on passwords for well over a decade.
The Wall Street Journal reports:
The man who wrote the book on password management has a confession to make: He blew it.Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly.Here’s hoping websites catch on fast. I can’t tell you how many sites I simply avoid because even if I follow their crazy “include a cap, a number, a character, a lower case letter, and a secret keyboard Easter Egg combo . . . in at least eight characters.” I can’t remember what the password is and have to reset it to see one thing or make one comment.The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.
There is no site (that isn’t paying me) that I need to see so badly that I will jump through the hoops of proving who I am and then resetting a new password that I will also never remember (and will need to reset next time . . . not that there would be a next time).
While my experience is anecdotal, there has reportedly been a measurable decline in user engagement and usage due to onerous, and ultimately, it turns out, ineffective and needlessly extravagant password requirements.
The Wall Street Journal continues:
The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security—they “actually had a negative impact on usability,” he said.Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.Amy LaMere had long suspected she was wasting her time with the hour a month it takes to keep track of the hundreds of passwords she has to juggle for her job as a client-resources manager with a trade-show-display company in Minneapolis. “The rules make it harder for you to remember what your password is,” she said. “Then you have to reset it and it just makes it take longer.”When informed that password advice is changing, however, she wasn’t outraged. Instead, she said it just made her feel better. “I’m right,” she said of the previous rules. “It just doesn’t make sense.”
Four random words in some random order is now deemed more secure than the “one of everything” string.
The Wall Street Journal continues:
Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.
How hard is “eggscategorydoorheir” and not changing it every month? Not hard for me, but apparently hard for hackers.
That’s a win/lose I can live with.
CLICK HERE FOR FULL VERSION OF THIS STORY