Password guru regrets past advice — BBCI

Password guru regrets past advice — BBCI

Password guru regrets past advice — BBCI

Since its initial release almost fifteen years ago, the NIST advice on passwords has been updated a number of times, most recently in June this year.

Bill Burr is the reason most companies make you put numbers and punctuation marks in your passwords and change them every few months - and he's very, very sorry.

It should be remembered that people are pretty bad when it comes to using easy passwords.

When creating passwords, users are often required to have a certain number of letter and numbers, with the letters in both upper and lower cases and special characters sprinkled throughout. Sometimes, hackers use powerful computers to target systems and steal massive password files.

He added the advice to regularly change passwords was mistaken, since most people end up altering one character, such as changing from "username1" to "username2", which does little to stop hackers.

Instead of creating a password, opt for a passphrase that can be long but easy to remember.

A new study by password manager vendor Dashlane finds that 46 percent of consumer websites do not require strong passwords. Human words with letters that make a sentence, for example. "Appendix A", featuring the password guides we've held true for years now.

In an interview with The Wall Street Journal, Burr said a document he created in 2003 on how to create safe and secure passwords was misinterpreted and it's led to a lot of confusion. Well before we needed passwords for access to our email, online bank accounts, social networks, and smartphones.

Also, as I explained after the Heartbleed bug when I suggested that people ignore the advice of "experts" who were recommending that everyone change his or her passwords en masse, if a vulnerability that allows systems to be compromised is publicized it is important not to change passwords on systems that may still be vulnerable.

Turns out that while having "password" as a password is still a dumb idea, that complicated string of characters isn't all that smarter. It is only the length of the password that matters.

Long live the universal password!

"But there is still traditional advice in other areas of computer security being perpetuated despite us knowing it won't work".

The problem was that he didn't have enough data on what sort of passwords were successful. "More recently, cryptographic mechanisms and biometric techniques have been used in physical and logical security applications, replacing or supplementing the traditional identity credentials".

"While we don't expect biometric adoption to happen overnight, biometric verification of identity on a personal device will, in one way or another, become a standard identification process". There it is shown (at the time this article was first published) how federal security standards rely on three factors of authentication. Also of note here - these documents are always subject to updates and improvements.

If you've ever had to come up with a "secure" password, you probably did the same thing as nearly everyone else-pick the first word that comes to mind and substitute a few numbers and symbols for letters.

Related news