Father of long-held security rule declares current passwords ‘invalid’

9 Aug 2017

Image: Rawpixel.com/Shutterstock

N3v$r M1^d your old Pa$$word123, everything you thought you knew about secure passwords is wrong.

The system is broken. The father of the modern ‘safe’ password rule, Bill Burr, has labelled long-held password structures as flawed.

Burr, who published the industry bible on password security 14 years ago, declared that the use of complicated and difficult-to-remember passwords – using numbers, symbols and capped lettering – is creating a serious weakness in security systems.

Future Human

He wrote his guidance on password security – NIST Special Publication 800-63 Appendix A – in 2003 while working for the US government at the National Institute of Standards and Technology (NIST).

In the eight-page primer, Burr recommended that people use non-alphabetic symbols in passwords to make them difficult to guess.

However, the rules, which include urging IT departments to encourage users to recreate passwords every 90 days, rather than securing systems, have made them more unsafe because users either end up using the same passwords repeatedly or write them on post-it notes affixed to their monitors.

This has led to people adopting phrases such as ‘P@55w0rd’ or ‘Football123’.

Such methods are vulnerable to cyberattacks, which cycle through every conceivable password to get into IT systems.

R3gret5, he has a few

“Much of what I did, I now regret,” Burr said in an interview with The Wall Street Journal.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

Burr also criticised his own advice of urging people to regularly change passwords since most people instinctively end up altering one character, which is again useless in the event of a brute-force attack.

The NIST has since changed its advice to those seeking to use secure passwords.

It recommends people use easy-to-remember pass phrases such as ‘catcalledjesskettleblack’ or ‘horsehasbolted’, which are harder for botnet cyber-criminals to crack.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years