Published: Wed, August 09, 2017
Electronics | By Jesus Weaver

Everything You Know About 'Secure' Passwords Is Wrong

Everything You Know About 'Secure' Passwords Is Wrong

The man who drew up widely-used password rules that are now regarded as wrong regrets ever having created them.

Additionally, the practice of changing a password every 90 days is also outdated, according to a rewritten version of Burr's original eight-page password document, "NIST Special Publication 800-63".

Bill Burr advised the use of numbers, non-alphabetic symbols and capital letters as a way to provide added security in a 2003 publication he authored while working for the United States government.

The renewed set of guidelines say that cooking a complicated password isn't really helping - as larger number of letters a more helpful than a short, complicated password.

Nor did the introduction of numbers and symbols make passwords less vulnerable to "brute force" cyber attacks in which a computer cycles through every possible combination of characters to guess a password. In the time since publication, it's become clear that these suggestions have made passwords weaker rather than more secure. Most people make minor changes that are easy to guess, he laments. In what could be a prime case for "too little, too late", Burr now says that he's sorry for putting us all through password hell.

This was the recommendation of Bill Burr, who created those password guidelines while working for the National Institute of Standards and Technology back in 2003.

"Much of what I did, I now regret, " Burr told The Wall Street Journal recently, given that his research into passwords mostly came from a white paper written in the 1980s, long before the web was even invented.

"In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree", said Mr. Burr to WSJ.

Instead of creating a password, opt for a passphrase that can be long but easy to remember. Complex passwords are hard to remember, they add, while users end up using the same one repeatedly on different websites, or writing them down on Post-it notes.

"We ended up starting from scratch", he said. They also support the idea that while nonsensical phrases of letters and numbers that are almost impossible to remember, phrases of four or more random words strung together are easier to remember and much harder to crack.

Like this: