“Much of what I did, I regret”: The guy behind password rules says sorry for making them so damn hard
The next time you’ve been forced to reset a password after the umpteenth incorrect guess, clench your fist and shout the name Bill Burr. The man who literally wrote the book on passwords has admitted he didn’t really know what he was doing at the time.
Burr, a former manager at the National Institute of Standards and Technology (NIST), was responsible for putting together a set of recommendations and standards around creating secure passwords in 2003. “NIST Special Publication 800-63. Appendix A” probably isn’t on your bedside table, but if you’ve ever been asked to create six-figure passwords with random numbers and capitalisations, you’ve felt its effect.
The document’s advice, that passwords should be made of irregular capitalisations, numbers and special characters, was widely adopted by everything from banks to government bodies. It also recommended that users should change their passwords at least every 90 days. The problem is both of these pieces of advice are bad, and lead to passwords that are easy to crack.
“Much of what I did I now regret,” Burr told The Wall Street Journal in an interview. It turns out most of what Burr recommended stems from a white paper written in the 1980s, before the creation of the web. “In the end, [the collection of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
The issue with creating passwords backed with symbols and numbers is that, while something like “Tr0ub4dor&3” may look obtuse enough not to be guessed, the reality is that it will follow predictable patterns of number and symbol placement. Illustrated by a well-known XKCD comic, the above example would only take a computer three days to crack, while a phrase made of random words, such as “correct horse battery staple,” would take 550 years. According to the WSJ, this calculation checks out with security experts.
Regularly changing passwords also has a fundamental issue, in that people tend to add only minor additions to their old password. Plonking a “1” or a “!” at the end of a password phrase is also predictable behaviour and, you guessed it, leads to weak codes that can be easily pulled apart by a computer. Then again, there are arguments from the opposite side, claiming we should be in the habit of changing passwords. Just make sure you replace it with something totally different, and maybe consider using a password manager.
A new set of NIST guidelines has been written by technical advisor Paul Grassi, who told the WSJ that the organisation “ended up starting from scratch”. To be fair to Burr, 2003 was a very different time, and the early days of the internet were full of mistrials that underestimated the full extent of today’s connected world. Grassi, at least, thinks history shouldn’t judge Burr harshly: “He wrote a security document that held up for ten to 15 years. I only hope to be able to have a document hold up that long.”