EVERYTHING you’ve been told about passwords for the last 15 years is wrong — and the man responsible has apologised

EVERYTHING you’ve been told about passwords for the last 15 years is wrong — and the man responsible has apologised. By Frank Chung.

IT TURNS out, your online passwords should not actually have at least one capital letter, one number and one symbol — and no, they shouldn’t be changed regularly.

Bill Burr, the author of the original eight-page manual from 2003 that went on to become the industry standard for websites, government agencies, universities and other large corporations, has admitted he was wrong.

“Much of what I did I now regret,” the retired 72-year-old, who authored “Special Publication 800-63. Appendix A” while working as a mid-level manager at the US government’s National Institute of Standards, told The Wall Street Journal. …

Mr Burr said the original document was written without any real-world password data to lean on, and he was under time pressure to get it done. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” he said. …

Mr Burr said his original rule book “just drives people bananas and they don’t pick good passwords no matter what you do”.

The document now states that password length, not complexity, is actually the “primary factor in characterising password strength”, and composition rules should be ditched as they cause users to “respond in very predictable ways”.

“For example, a user that might have chosen ‘password’ as their password would be relatively likely to choose ‘Password1’ if required to include an upper case letter and a number, or ‘Password1!’ if a symbol is also required,” the guidelines say. …

The problem was highlighted in a popular cartoon by Randall Munroe, creator of the XKCD webcomic, who pointed out that a “passphrase” combining four random common words such as “correct horse battery staple” would take 550 years to crack at 1000 guesses per second, compared with just three days for a traditional password like “Tr0b4dor&3”.

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,” Munroe wrote.

The NIST’s new standards … do not impose other composition rules (e.g. mixtures of different character types). … They also ditch the requirement for passwords to be changed “arbitrarily” at set intervals, because users are likely to change their password in obvious ways — from “Pa55word!1” to “Pa55word!2”, for example. Passwords should only be changed if there’s a suspicion they have been stolen.

Common sense prevails, at last. It’s more important for a password to be easily remembered, and length is sufficient to make it hard to guess.