Your password could be all wrong! Man who wrote rules for password safety now regrets his advice

The man who wrote the bible on safe passwords now says the world should forget everything he said.

Bill Burr advised the use of  numbers, non-alphabetic symbols and capital letters as a way to provide added security in a 2003 publication he authored while working for the US government. But more than a decade later, the 72-year-old retired former manager at the National Institute of Standards and Technology admits he was wrong.

The advice to create complicated and hard-to-remember passwords as well as change them every 90 days came from Burr in “NIST Special Publication 800-63. Appendix A.”

“Much of what I did I now regret,” Burr told the Wall Street Journal.

“It just drives people bananas and they don’t pick good passwords no matter what you do,” he explained, referring to bizarre letter, number and symbol combinations like “[email protected]” or “football123” which  proved to be less secure. Users could not remember the complicated string of characters or had to write them down, further exposing them to security risks.

Frequent changes in passwords, known as “transformations,” were not effective either as users would often make minor changes like replacing the number 1 with a number 2. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.

Hackers rely on “brute force” cyber attacks as computers cycle through every possible combination of characters to guess a password.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the Journal.

Cartoonist Randall Munroe noted a few years back that, following Burr’s guidelines, the password ‘Tr0ub4dor&3’ could be hacked in three days while “CorrectHorseBatteryStaple” could take 550 years.

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,”  he wrote.

Burr’s original password guidelines have been updated now by NIST standards-and-technology adviser, Paul Grassi, who found that the existing rules “actually had a negative impact on usability.”

“We ended up starting from scratch,” he said.

Grassi’s advice is to use longer, but easier to remember, “passphrases.”

“Good advice is to make a long but memorable “passphrase,” the new rules state. “String a few words together that you can remember with a visual. ‘Puffineatingbanana’ is easy to remember but would take millions of years for a computer to crack.”

And while Burr regrets his advice and its negative impact, Grassi disagreed.

“He wrote a security document that held up for 10 to 15 years,” he told the Journal. “I only hope to be able to have a document hold up that long.”

Twitter users reacted to Burr’s admission, many not surprised because of what they had already experienced.

Wake up right! Receive our free morning news blast HERE

Comments

Latest Articles