The guy who wrote the book on passwords says he got it all wrong

The worst part of creating an online account is having to adhere to those obnoxious password rules: capitalize this, lowercase that, have these special characters, but not those. Once you figure out the riddle, you’re typically left with a phrase that’s impossible to remember. If it’s any consolation, at least you know you’ll be safe from hackers, right? Not a chance.

It turns out, the guy who invented those password rules almost 15 years ago now admits he got it all wrong. Former National Institute of Standards and Technology (NIST) manager Bill Burr—the man who wrote the gospel on password management back in 2003—feels guilty for misleading people.

“Much of what I did I now regret,” Burr told the Wall Street Journal. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

It’s OK to be angry, but don’t put all the blame on Burr. The fact that we blindly follow rules created 15 years ago—before we knew much about cybersecurity and the dangers we face today—is simply irresponsible. Not to mention the carelessness of some people, as made evident by the terrible passwords that top “most common passwords” lists every year, with gems like “123456” and “password.” Some of Burr’s suggestions, like using uncommon words that are a minimum of eight characters long, should still be considered today.

In fact, the new rules for creating a strong password focus on passphrases instead of a random string of characters and letters. A NIST guide published in June, recommends using at least 64 characters in a password, and forgetting about numbers and special characters. For example, “passwordisnotagoodpassword’ is much better than using “[email protected]$$word1.”

The idea is that a short string of hard-to-remember characters is much easier for a hacker to figure out than a long phrase, like your favorite lyric or quote, because there are fewer character combinations to choose from.

The suggestions Burr made, and now regrets, came from his “NIST Special Publication 800-64. Appendix A” guide. They are still being used as online password requirement for almost every company, from online banking to social media registration.

Consider a system that used:

  • a minimum of 8 character passwords, selected by subscribers from an alphabet of 94 printable characters,
  • required subscribers to include at least one upper case letter, one lower case letter, one number and one special character, and;
  • Used a dictionary to prevent subscribers from including common words and prevented permutations of the username as a password.

You can read all of the original recommendations on page 46-54 of this archived document, though you’d be better off skipping right to NIST’s new draft of password guidelines.

H/T The Age

Phillip Tracy

Phillip Tracy

Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.