Published: Fri, August 11, 2017
Tech | By Dwayne Harmon

The man who created password hell admits he got it all wrong

The man who created password hell admits he got it all wrong

Nearly 15 years ago, while working at the National Institute of Standards and Technology (NIST), he wrote what would basically become the bible of password management: NIST Special Publication 800-63.

But in an interview with The Wall Street Journal, the now-retired Burr said most of his advice was incorrect. He says that long, easy-to-remember passwords are the safest bet for consumers, and that passwords should only be changed if there is any sign that they have been compromised.

Fortunately, NIST Special Publication 800-63 recently received a much-needed rewrite.

Now, easy to remember phrases are the preferred method and passwords should only be changed if there is a suspected hack. A combination of four simple words can create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days. Bill Burr was with the National Institute of Standards and Technology when he issued the widely-adopted password advice in 2003.

As a result, that would then prompt us to instead use passwords like "P@ssw0rd or "0DoyleRulz".

Everything we know about what makes a strong password is wrong. This is especially critical, given that almost 20% of passwords used by business professionals for corporate accounts are "easily compromised", according to a report from security firm Preempt.

Another reason why his 2003 document could be wrong is that Burr did not really have access to any proper empirical data at that time while working on it.

They'll never know
They'll never know...Image designer491/Getty Images

Not only did the old password format frustrate users, it wasn't even the best way to keep hackers at bay.

That's right, the man who advised you change your password regularly knows it "drives people bananas".

It's tough to create a good, secure password. Those guidelines became the cornerstone of a lot of websites, which is why you're often prompted to increase the complexity of your password.

"He wrote a security document that held up for 10 to 15 years", said Grassi.

Passwords should be changed if they have been put at risk by a breach or the like, but changing them frequently may be counterproductive.

He claims we have managed to create passwords that are hard to remember for humans but easy for computers to figure out. The increasingly complicated requirements are enough to make you pull your hair out, and just when you think you've nailed a decent login, you'll probably be forced to change it in a month anyway.

Like this: