- Democrats want to ban use of facial recognition in public housing 2 Years Ago
- In America’s meme war, the left and right are fighting different battles 2 Years Ago
- Mahershala Ali’s ‘Blade’ movie won’t arrive until Phase 5 of the MCU Today 7:18 AM
- Natalie Portman isn’t playing ‘female Thor’—she’s ‘Mighty Thor’ Today 7:08 AM
- How to watch ‘Breaking Bad’ online Today 7:00 AM
- Controversial Instagram influencer plans event called ‘The Scam’ Today 7:00 AM
- How to clear your search history on Instagram Today 6:00 AM
- How to stream the Leagues Cup competition between MLS and Liga MX Today 5:00 AM
- Here’s why you shouldn’t buy a Nintendo Switch until mid-August Monday 5:11 PM
- Man blasted for making his coworkers babysit his child Monday 5:07 PM
- Pete Buttigieg’s country radio interview was blocked from the air Monday 4:35 PM
- 15-year-old Smash Bros. prodigy caught using racist slur in private Discord server Monday 3:47 PM
- Instagram users who post pet pictures more likely to get hacked Monday 3:45 PM
- Post-Prime Day recap: Shipping delays, more sales, and a scam Monday 3:08 PM
- Jacob Wohl returns to Twitter … for now Monday 1:56 PM
The guy who wrote the book on passwords says he got it all wrong
Photo via JMiks/Shutterstock (Licensed)
Fortunately, NIST is drafting a new set of password guidelines.
The worst part of creating an online account is having to adhere to those obnoxious password rules: capitalize this, lowercase that, have these special characters, but not those. Once you figure out the riddle, you’re typically left with a phrase that’s impossible to remember. If it’s any consolation, at least you know you’ll be safe from hackers, right? Not a chance.
It turns out, the guy who invented those password rules almost 15 years ago now admits he got it all wrong. Former National Institute of Standards and Technology (NIST) manager Bill Burr—the man who wrote the gospel on password management back in 2003—feels guilty for misleading people.
“Much of what I did I now regret,” Burr told the Wall Street Journal. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
It’s OK to be angry, but don’t put all the blame on Burr. The fact that we blindly follow rules created 15 years ago—before we knew much about cybersecurity and the dangers we face today—is simply irresponsible. Not to mention the carelessness of some people, as made evident by the terrible passwords that top “most common passwords” lists every year, with gems like “123456” and “password.” Some of Burr’s suggestions, like using uncommon words that are a minimum of eight characters long, should still be considered today.
In fact, the new rules for creating a strong password focus on passphrases instead of a random string of characters and letters. A NIST guide published in June, recommends using at least 64 characters in a password, and forgetting about numbers and special characters. For example, “passwordisnotagoodpassword’ is much better than using “[email protected]$$word1.”
The idea is that a short string of hard-to-remember characters is much easier for a hacker to figure out than a long phrase, like your favorite lyric or quote, because there are fewer character combinations to choose from.
The suggestions Burr made, and now regrets, came from his “NIST Special Publication 800-64. Appendix A” guide. They are still being used as online password requirement for almost every company, from online banking to social media registration.
Consider a system that used:
- a minimum of 8 character passwords, selected by subscribers from an alphabet of 94 printable characters,
- required subscribers to include at least one upper case letter, one lower case letter, one number and one special character, and;
- Used a dictionary to prevent subscribers from including common words and prevented permutations of the username as a password.
H/T The Age
Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.