The man who created password hell admits he got it all wrong
By Chris Smith Trusted Reviews: The man whose advice compelled the world to chose complex passwords — with capital letters, numbers and special characters — has admitted he was ‘barking up the wrong tree.’
Bill Burr, who works at the National Institute of Standards and Technology, inked the guidelines for password strength in 2003.
“Much of what I did I now regret,” Burr, now 72 and retired, told the Wall Street Journal.
Get Briefed, Get Weekly Intelligence Reports - Essential Weekend Reading - Safe Subscribe
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
So where does that leave us? Well, thankfully the NIST is creating a brand new set of guidelines, overhauling many of the practices.
The new guidelines will call for longer phrases with memorable words strung together. For example, ‘fishchipsmushypeas’, would be much harder for botnets to guess than weaker single-word passwords littered with special characters and numbers.
Apparently, those passwords are easy enough to guess because people just swap out an ‘o’ for a ‘0’, or an ‘i’ for an ‘!’
Goodbye, enforced changes
The new advice will also call for regular, enforced password changes to be ditched unless there’s a security breach.
The NIST believes that people only tend to change one character when forced into a password change. So, Password1 becomes Password2 and so on.
The new guidelines say: “Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.”