Passwords Get Changed Again
Don’t you just hate trying to remember your passwords? We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry.
IT exxpert Bill Burr said that making people remember long, complicated passwords “drives people bananas”.
Nearly 15 years ago, Mr Burr wrote guidelines for password security for the US National Institute of Standards and Technology. It included suggestions that passwords should be changed every three months and be made up of a range of different characters.
Burr’s stance on the entire situation has changed quite a bit since then, and in a recent interview with the Wall Street Journal he admits that he approached the issue in the wrong way. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” the 72-year-old Burr now says. “It just drives people bananas and they don’t pick good passwords no matter what you do.”
Pushing people to secure their accounts with unique and private logins is always a good move, but the result of Burr’s writing and the subsequent adoption of the complex password systems is that most people just pick something short and memorable that satisfies the criteria, making them easy targets for brute force hacks.
“Much of what I did I now regret,” Burr says. That’s definitely something you don’t want to hear from someone who influenced the security of your online bank account and medical records.
What To Do Now?
A popular xkcd comic from cartoonist Randall Munroe, published back in August 2011, poked a hole in this common logic by pointing out how the password “Tr0ub4dor&3” could be cracked in about three days with standard techniques, due to its predictable capitalization, numeric substitutions, and special character use. The password “correct horse battery staple,” written as a single phrase, would take 550 years. (Security experts have confirmed Munroe’s math, according to the WSJ.) “Through 20 years of effort, we have correctly trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” Munroe wrote at the bottom.
In other words, the passwords you should be using are obscure, almost unexplainable phrases full of human randomness that make them easy to commit to memory and yet almost impossible for an automated system to make sense of. Of course, for those who use password managers like LastPass or Zoho Vault, you can generate cryptographically secure passwords on the fly. But it’s still important to have a hard-to-crack master password.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr admits of his advice. The new NIST standards that were published in June, authored by technical advisor Paul Grassi, did away with much of Burr’s advice.
“We ended up starting from scratch,” Grassi tells the WSJ. But Burr might be exaggerating the negative effects of his password advice, Grassi adds: “He wrote a security document that held up for 10 to 15 years. I only hope to be able to have a document hold up that long.”
Stay secure and ahead of the curve with KJONGSys. Get in touch with us today to start your free security evaluation.