The man who wrote the bible on safe passwords now says the world should forget everything he said.
Bill Burr advised the use of numbers, non-alphabetic symbols and capital letters as a way to provide added security in a 2003 publication he authored while working for the US government. But more than a decade later, the 72-year-old retired former manager at the National Institute of Standards and Technology admits he was wrong.
A message from the man who wrote those infuriating password rules: I got it wr0#ghttps://t.co/rNIZjDg8vM
— Wall Street Journal (@WSJ) August 8, 2017
The advice to create complicated and hard-to-remember passwords as well as change them every 90 days came from Burr in “NIST Special Publication 800-63. Appendix A.”
“Much of what I did I now regret,” Burr told the Wall Street Journal.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” he explained, referring to bizarre letter, number and symbol combinations like “[email protected]” or “football123” which proved to be less secure. Users could not remember the complicated string of characters or had to write them down, further exposing them to security risks.
Frequent changes in passwords, known as “transformations,” were not effective either as users would often make minor changes like replacing the number 1 with a number 2. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.
Hackers rely on “brute force” cyber attacks as computers cycle through every possible combination of characters to guess a password.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the Journal.
Cartoonist Randall Munroe noted a few years back that, following Burr’s guidelines, the password ‘Tr0ub4dor&3’ could be hacked in three days while “CorrectHorseBatteryStaple” could take 550 years.
. @xkcdComic covered this well. pic.twitter.com/d1xzx0DsYj
— Tom Schutte (@MrTSchutte) August 7, 2017
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” he wrote.
Burr’s original password guidelines have been updated now by NIST standards-and-technology adviser, Paul Grassi, who found that the existing rules “actually had a negative impact on usability.”
“We ended up starting from scratch,” he said.
Grassi’s advice is to use longer, but easier to remember, “passphrases.”
“Good advice is to make a long but memorable “passphrase,” the new rules state. “String a few words together that you can remember with a visual. ‘Puffineatingbanana’ is easy to remember but would take millions of years for a computer to crack.”
And while Burr regrets his advice and its negative impact, Grassi disagreed.
“He wrote a security document that held up for 10 to 15 years,” he told the Journal. “I only hope to be able to have a document hold up that long.”
Twitter users reacted to Burr’s admission, many not surprised because of what they had already experienced.
Wake up right! Receive our free morning news blast HERE
Wow. This is oddly engrossing.
— Nicholas Slayton (@NSlayton) August 8, 2017
His advice was out of date ten years ago. But I still have to follow 22 f#ck1nG rules every time I need to make a password.
— I see Dumb people (@BrettOrlob) August 7, 2017
Haha pic.twitter.com/BLXRcSlFwB
— Kathryn C ????? (@Kathryn_CC) August 7, 2017
This mistake literally cost 10s if not 100s of Billions in lost productivity, & that’s before accounting for the cost of stress to end users
— Joey Incognito (@JoeyA_Incognito) August 7, 2017
Hope none of the people I do IT support for read this. They’ll rip me a new one. ?
— LPDHappy (@LPDah) August 8, 2017
To those cheering at the news: the rules weren’t wrong. It’s just that most of you were too stupid to implement them properly.
— John Drake (@TheRealNumber6) August 8, 2017
Goddamn baby boomers.
— justchecking (@porriblehun) August 7, 2017
NOW he tells us.
— Mark R. Harris (@fluencymark) August 8, 2017
CC: Guy who wants the name of my first pet as a “security” question before I can log into my wireless account
— Pezzz… (@PSeigh) August 8, 2017
In other news, NASA announced today that water is wet.
— Sam Dayyat (@SamDayyat) August 8, 2017
Finally!
— Nick Evans (@nickevans224) August 7, 2017
DONATE TO BIZPAC REVIEW
Please help us! If you are fed up with letting radical big tech execs, phony fact-checkers, tyrannical liberals and a lying mainstream media have unprecedented power over your news please consider making a donation to BPR to help us fight them. Now is the time. Truth has never been more critical!
[email protected]
Originally from New York, Powers graduated from New York University and eventually made her way to sunny South Florida where she has been writing for the BizPacReview team since 2015.
- Minnesota Dems promote bills to ban gas-powered lawnmowers, chainsaws - February 18, 2023
- KJP shows off her contempt for Trump with unnecessary jab during comms director’s sendoff - February 11, 2023
- DOJ ramps up a ‘mere review’ to full-fledged investigation after latest Biden doc discovery - January 12, 2023
Comment
We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the ∨ icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.
