The man who wrote the bible on safe passwords now says the world should forget everything he said.
Bill Burr advised the use of numbers, non-alphabetic symbols and capital letters as a way to provide added security in a 2003 publication he authored while working for the US government. But more than a decade later, the 72-year-old retired former manager at the National Institute of Standards and Technology admits he was wrong.
A message from the man who wrote those infuriating password rules: I got it wr0#ghttps://t.co/rNIZjDg8vM
— Wall Street Journal (@WSJ) August 8, 2017
The advice to create complicated and hard-to-remember passwords as well as change them every 90 days came from Burr in “NIST Special Publication 800-63. Appendix A.”
“Much of what I did I now regret,” Burr told the Wall Street Journal.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” he explained, referring to bizarre letter, number and symbol combinations like “[email protected]” or “football123” which proved to be less secure. Users could not remember the complicated string of characters or had to write them down, further exposing them to security risks.
Frequent changes in passwords, known as “transformations,” were not effective either as users would often make minor changes like replacing the number 1 with a number 2. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.
Hackers rely on “brute force” cyber attacks as computers cycle through every possible combination of characters to guess a password.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the Journal.
Cartoonist Randall Munroe noted a few years back that, following Burr’s guidelines, the password ‘Tr0ub4dor&3’ could be hacked in three days while “CorrectHorseBatteryStaple” could take 550 years.
— Tom Schutte (@MrTSchutte) August 7, 2017
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” he wrote.
Burr’s original password guidelines have been updated now by NIST standards-and-technology adviser, Paul Grassi, who found that the existing rules “actually had a negative impact on usability.”
“We ended up starting from scratch,” he said.
Grassi’s advice is to use longer, but easier to remember, “passphrases.”
“Good advice is to make a long but memorable “passphrase,” the new rules state. “String a few words together that you can remember with a visual. ‘Puffineatingbanana’ is easy to remember but would take millions of years for a computer to crack.”
And while Burr regrets his advice and its negative impact, Grassi disagreed.
“He wrote a security document that held up for 10 to 15 years,” he told the Journal. “I only hope to be able to have a document hold up that long.”
Twitter users reacted to Burr’s admission, many not surprised because of what they had already experienced.
Wake up right! Receive our free morning news blast HERE
Wow. This is oddly engrossing.
— Nicholas Slayton (@NSlayton) August 8, 2017
His advice was out of date ten years ago. But I still have to follow 22 f#ck1nG rules every time I need to make a password.
— I see Dumb people (@BrettOrlob) August 7, 2017
— Kathryn C 🍍🍕🍍🍕🍍 (@Kathryn_CC) August 7, 2017
This mistake literally cost 10s if not 100s of Billions in lost productivity, & that’s before accounting for the cost of stress to end users
— Joey Incognito (@JoeyA_Incognito) August 7, 2017
Hope none of the people I do IT support for read this. They’ll rip me a new one. 😬
— LPDHappy (@LPDah) August 8, 2017
To those cheering at the news: the rules weren’t wrong. It’s just that most of you were too stupid to implement them properly.
— John Drake (@TheRealNumber6) August 8, 2017
Goddamn baby boomers.
— justchecking (@porriblehun) August 7, 2017
NOW he tells us.
— Mark R. Harris (@fluencymark) August 8, 2017
CC: Guy who wants the name of my first pet as a “security” question before I can log into my wireless account
— Pezzz… (@PSeigh) August 8, 2017
In other news, NASA announced today that water is wet.
— Sam Dayyat (@SamDayyat) August 8, 2017
— Nick Evans (@nickevans224) August 7, 2017
Latest posts by Frieda Powers (see all)
- ‘Why, why…why?’ Nicolle Wallace comes unglued, pushes numerous ‘theories’ after Barr’s presser - April 18, 2019
- Frantic Chuck and Nancy call Barr’s handling of report a ‘crisis,’ demand Mueller testify before Congress ‘ASAP’ - April 18, 2019
- Ed Henry rips Dems for ‘moving the goalposts’ on Mueller probe: “It started with ‘we have evidence…’” - April 18, 2019