Father of long-held security rule declares current passwords ‘invalid’

9 Aug 201731 Shares

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

Image: Rawpixel.com/Shutterstock

Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Pin on PinterestShare on RedditEmail this to someone

N3v$r M1^d your old Pa$$word123, everything you thought you knew about secure passwords is wrong.

The system is broken. The father of the modern ‘safe’ password rule, Bill Burr, has labelled long-held password structures as flawed.

Burr, who published the industry bible on password security 14 years ago, declared that the use of complicated and difficult-to-remember passwords – using numbers, symbols and capped lettering – is creating a serious weakness in security systems.

He wrote his guidance on password security – NIST Special Publication 800-63 Appendix A – in 2003 while working for the US government at the National Institute of Standards and Technology (NIST).

In the eight-page primer, Burr recommended that people use non-alphabetic symbols in passwords to make them difficult to guess.

However, the rules, which include urging IT departments to encourage users to recreate passwords every 90 days, rather than securing systems, have made them more unsafe because users either end up using the same passwords repeatedly or write them on post-it notes affixed to their monitors.

This has led to people adopting phrases such as ‘P@55w0rd’ or ‘Football123’.

Such methods are vulnerable to cyberattacks, which cycle through every conceivable password to get into IT systems.

R3gret5, he has a few

“Much of what I did, I now regret,” Burr said in an interview with The Wall Street Journal.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

Burr also criticised his own advice of urging people to regularly change passwords since most people instinctively end up altering one character, which is again useless in the event of a brute-force attack.

The NIST has since changed its advice to those seeking to use secure passwords.

It recommends people use easy-to-remember pass phrases such as ‘catcalledjesskettleblack’ or ‘horsehasbolted’, which are harder for botnet cyber-criminals to crack.

Editor John Kennedy is an award-winning technology journalist.

editorial@siliconrepublic.com