Technology

Users Misled by Bad Password Advice

Share
Man who wrote password'bible admits My advice was completely wrong

Much of the password advice given out over the last 16 years is just plain wrong, the author of a guide to computer passwords has admitted. In an interview with the Wall Street Journal, Burr expressed his regrets for giving advice he now realizes was flawed.

The document in question is "NIST Special Publication 800-63". His advice of changing one's password every 90 days stands largely incorrect, as most people usually make minor changes, such as altering one or two characters, which are very easy to guess.

The U.S. federal agency now also says that people should only change their passwords if they think they may have been stolen or if their accounts have been compromised. On the contrary, a simple passphrase of only four easy to remember words like "correct horse battery staple", would take 550 years to crack using the same brute force method.

"If the password alone comes back with a hit on this service, that's a very good reason to no longer use it regardless of whose account it originally appeared against".

He added that the recommendation to change the password regularly was also wrong, since most users change only one letter or number, which does not disturb the work of hackers at all. Not to mention the carelessness of some people, as made evident by the awful passwords that top "most common passwords" lists every year, with gems like "123456" and "password".

You've probably followed this go-to password strategy countless times online: a letter, number, at least one uppercase letter and a special character.

As explained in the XKCD comic below, a password like "Tr0ub4dor&3", which adheres to Burr's original guidelines, would take just three days to crack and is hard to remember. It also recommended a ban on password strength meters, mandatory resets, and predictable combinations. So, while evildoers may not have actually exploited the vulnerability in the past - and your password may still be secure - if after the vulnerability is publicized crooks do breach the system and you change your password they will likely obtain it. He was not a security expert, and the 72-year-old bureaucrat is now apologising for what he has done.

Do you need a password manager to keep track of all your obscure, special character-filled and lengthy passwords necessary for various websites?

The UK's National Cyber Security Centre's password guidance says that forcing users to change their passwords at regular intervals "imposes burdens on the user and carries no real benefits". They are easy for us to remember but harder to hack by a computer because of the human factor.

Share