Slashdot Mirror
The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com)
New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."
I have to say that's really cool of him to come out and say that. Awesome for somebody to be able to admit they are wrong, as we are all wrong at different times. Way to go!
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
Next time don't get a comedian to invent password rules?
But P@55w0rd!2 is still safe, isn't it?
First law of people: People are generally stupid.
My university recently instituted this retarded system that we have to change every 90 days.
And they remember the last 5 or so hashes (one can only hope they don't remember the actual password), so you can't even switch back and forth.
Absolute bullshit.
I remember my dad just changed his every month and he just had MMYY at the end of every password.
I find these password requirements vexing, but I forgive you.
LONG PASSWORDS.
The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.
Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.
And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be compromised. If your system LETS you try trillions of passwords, it's game over whether you change every week or not.
It is intuitively obvious to the casual observer that requiring passwords to contain certain characters reduces the number of possible passwords of a given length, thus reducing security.
Those who require passwords really ought to take a look at it.
https://xkcd.com/936/
This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time.
Password enforcement was a constant problem 20-30 years ago, but we all had policies.
The short duration of a password was not some arbitrary number based on "mah ego", it was based on a majority of systems which could not handle a password longer than 8 characters.
I didn't invent the password policy, but by this claim I sure as hell could.
Oh, and password policies are as important today as they were back then. Go ahead and claim your fingerprints are fool proof!
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
My work requires us to change our passwords every 90 days. I've had the same password for the last 15 years with the exception of one letter of the alphabet that goes from a to b to c... I'm on letter g right now. I've rotated through the alphabet a number of times and still get a thrill when I rotate from z back to a.
Where there is weeping, and gnashing of teeth. Also they use his system of passwords, the wifi signal is always just out of reach and the coffee is made in percolators that go on forever.
My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front. So it only tells you after you've entered something you think may be acceptable, and you've then lost that train of thought and are forced to figure out something new.
This is not a news to many sysadmins. Some of our managers even get it as well.
None of that matters in the face of regulatory compliance.
The Daddy casts sleep on the Baby. The Baby resists!
I'm more annoyed when sites require passwords that aren't in line with the kind of data they're holding. I don't want to have to remember a banking-safe password when I'm trying to log into a fart jokes website.
I swear to God...I swear to God! That is NOT how you treat your human!
...also suggested using cruise ships for population control.
Sig ?
Ladies and gentlemen, I think I've found my new password!
Algorithms for determining password strength are uniformly terrible, too. I once set up an account in Plesk and it rejected K"Nb\:uO` as too weak but accepted P@55w0rd without complaint.
Both Unix crypt() and Windows LM hash had password length limits. Long passwords like we have and recommend today were impossible.
""In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well...
In other words, he did what a lot of us have done; assumed people were actually smart.
He should stop apologizing; intelligent people have been doing that for centuries.
My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front.
Even worse are the sites that don't state their password rules and that don't provide an error message when the rules are violated. The only indication that the password is unacceptable is that the user will fail to authenticate when he tries to log in. (I suspect that Mail.com does this, but I can't be certain, because there is absolutely no feedback from the site.)
I have had to fight our auditors every year for decades about stupid password ageing rules. I refused to implement them and said it would LOWER security while simultaneously pissing off users and lowering productivity. Each year I added more references to articles from people who agreed with me, just in case.
Maybe now they will finally believe me?
Another one along the same lines is needing to come up with a password when you don't need one.
If I'm making a one-shot purchase from your website, there is NO F*CKING NEED FOR ME TO OPEN AN ACCOUNT!!! Why are you forcing me to create an account?
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
5 years ago, our client insisted that we implement this sort of mischief on one site, with a 30-day change rule. One of the requirements was to check that the new password was not previously used or too similar to a previously-used PW.
"How does that work when you also tell us we cannot save the PW in plain text?"
To their credit, they admitted that it wasn't possible to comply with all the rules. But they have not yet relented on the 30 day change rule.
Which bit them big time during one of their security sweeps - the PW for the scanner's account "expired" part way through the testing. The subsequent lock-out for excessive failed login attempts was then interpreted as "server becomes unresponsive if excessive characters are injected at login." (we'll accept up to 32MB for passwords)
about time. Most in the security community have known this for a long time and many large enterprises have long since adjusted away from those garbage recommendations. Really this was a case of a technical knowledgeable person making recommendations without thinking about how people think and work. We moved away from those NIST recommendations nearly a decade ago where I work because it was blatantly obvious they were poor real world recommendations.
I strongly suspect that one way to measure how onerous the password policy is in a particular environment is to go through the office flipping up keyboards. The metric would be as a percentage of yellow stickies with passwords stuck underneath. You could weight the metric by the size of the penalty for writing down your password.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
He's off the hook; put down your torches.
The guy that pisses me off everyday that I log on-- who decided that they must be NONDISPLAY--has 3 pitchforks with his name on them
xkcd comic is spot on. My problem with all of this, especially two-factor, multi-factor, "secret" questions, etc., is that I can NOT remember all of that crap, so I'm forced to write it down- on paper, in files on my computers and NAS, etc. Not so secure now.
Or sites where they accept an unlimited length in the setup but silently truncates to some arbitrary length and then when on the login page they accept an unlimited length again but this time compares your entered password with the truncated one and you get a mismatch even with copy+paste. Have stumbled on a few of those.
As it is, I have the stupid policy at work. I simply change my password from ******** to ******** and everything is good.
The Kai's Semi-Updated Website Thingy
soooooo..... update the damn thing and go on the 8pm news and get the word out that those rules and the stated schedule for changing passwords are both BS and give some reasonable guidelines (like 4 random words strung together) along with having the industry standard of an exponentially longer timeout after 3 wrong guesses (or just locking the account and/or blocking the IP address (or range) the bogus attempts were coming from, depending on your need for security)... and a million other better solutions to security (2 factor anyone?) rather than arcane letter/number/special character/upper/lowercase change it every week stupidity.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like
I would be more embarrassed if somebody could prove I had an account on a fart jokes site than if they stole money from my checking account.
HIs password policies suck. No wonder he changed careers.
"The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
Forcing an extended character set is nonsense. Instead use longer pass phrases (e.g., XKCD's "horse battery staple"). Given N characters from a set of size C, there are C^N possibilities, thus the possibilities are polynomial in C, but exponential in N. Damn the sites that limit N!
Those of us interested in tracking every detail of your single-purchase behaviors...then selling that info to another entity...strongly disagree that there isn't a need to force you to voluntarily register and create an account. Despite your tone indicating that you disagree with this practice, our records clearly show you clicked "I agree."
Yet more annoying is sites that prevent you from Control-V paste or middle-click paste. Come on! I want to be able to generate a 32 or 64 character gobbledygook password in KeePass and just paste it in there.
Some sites screw it up and prevent either Control-V or middle-click, but not both. But those are rare. Seriously, web developers, it doesn't help anybody to prevent pasting into a password field.
The worst was one financial-related site that I had to use that not only did not allow you paste into the password field, it would not even let you type into the password field. It would present an on-screen keyboard (using JavaScript) with the letters and numbers all scrambled around. Take about practically forcing people to write down their passwords. (To me a decent password is one that I can only enter by muscle memory; as in, I could not actually tell you the password itself even if my life depended on it).
What's that?
Seriously, he expected people to remember complicated passwords and then change those complicated passwords every 3 months... Forget that.
He also didn't understand that by imposing and publishing requirements, he made life a lot easier for crackers. If you know a password has to contain at least two lower case letters, one upper case letters, one digit and one symbol, you have reduced the possible passwords you have to check to a tiny fraction of the original. A password that could take years to crack suddenly falls within days or hours because the requirements have reduced the number of combinations significantly.
Comment removed based on user account deletion
Increasing your character set makes it harder to run brute force attacks and even randomly guess a password, even when the increase in character count is fully known.
Changing every 90 days was a bitch, though, agreed.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
I managed to get the root password on a Unix system to include a backspace. Then the login program wouldn't take it.
crackers? that's racist!
Most of those password requirements actually date back to the 80s or 90s, and most of them were in fact intended to protect salted/hashed passwords of only 8 characters in length. Given that adding numbers and symbols added a third to half extra characters that might have to be bruteforced to break a maximum complexity 8 character password, they made perfect sense.
That said, once you move up to 20-30 character passwords and sufficiently complicated hashing algorithms, the necessary textual complexity of the password actually decreases. If you moved up to a true passphrase or sentence, the length is sufficient that even with only upper or lowercase characters the odds of computationally brute forcing the password are tiny and the rubber hose or keylogging recovery methods are much more useful.
Comment removed based on user account deletion
The password hell is where he belongs. Always one more complex password for that ice cold drop of water.
In GOD we trust, all others we monitor.
64 characters, symbols, letters, numbers, capitals and lower case. Change them at least once a month, never use the same password twice and use random generation as much as possible. If you can, you don't just use a password, use at least 2FA, if not MFA (I have servers with 4FA+ on them.
The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.
I only checked for 6-8 digit passwords, but having upper case letters allows far more different combinations than adding an extra character. You're correct if you consider the small-alphabet version to already have upper and lower case letters--in that case, adding an extra character gives more possibilities than allowing ASCII special characters.
A cat can't teach a dog to bark.
I think you will find that auditors are measuring compliance with an externally set standard, not affirming that you are doing the wise thing. So you're shooting the messenger, which is seldom productive.
I uninstalled Pokemon Go on the registry page because of this retardation. An insecure password is my problem, not theirs, and I am a much better authority on what is and is not a secure password than they are by virtue of the fact that I know math.
His penance should be to have to remember 1000 different 16 character passwords with mixed case, numbers, punctuation and line noise that change 3 times a day.
Bad:
* The probability of guessing someone's password increases only marginally if it is unchanged.
* Frequent password change just makes the users add sequence number or the month name to the passwords.
* All the character category requirements induce only bad passwords in order to be able to remember them.
Better:
* Write down complex passwords and keep it in your wallet along with your 100 € notes, which you never want to lose anyway.
* Simple password complexity evaluation algorithm, e.g. adding points to length, and the number of different characters and such.
* Lock any account that is not used in some time interval, and use some other mechanism to unlock it, e.g. human administrator, email, SMS or extra long password for this purpose.
(Previously posted on forums.xkcd.com.)
If I'm making a one-shot purchase from your website, there is NO F*CKING NEED FOR ME TO OPEN AN ACCOUNT!!!
Insensitive clod! Don't you realise that people like you are destroying the internet!
We are all guilty of using P@assword1, P@ssword2, etc.... but I can't keep committing a complex password to memory every 90 days. So here's the deal... let the user decide. Users are free to pick simple passwords and the system will decide to make them change those passwords every 90 days. If the user picks a complex password they won't have to change it again. My bet is that the users will come up with a /great/ complex password ONCE.
Do they also break control-Insert paste? I've never used control-V. All my life I've used control-Insert to paste.
I've never read a guide to strong passwords that was more than a half page long. How the hell do you stretch it out to 8 pages?
Kinda tells me why the specs for chocolate chip cookies are 40 pages long.
Wha? Are you daft? Setting an "at least" says NOTHING about how many you CAN have beyond that. The password could have one UC, or two, or three, ... or ALL UC. >= 2 LC + >= 1 UC could be satisfied by LULL, UULL, LUUU, or UUUL. The brute force cracker still has to try all combinations. OK, he can eliminate a trivial part of the combinations, like UUUU and LLLL, but his life if not made "a lot easier".
the really frustrating part, for me anyway, is the lack of coherent standards. I get the complexity, but the fact that not ALL possible keyboard characters are acceptable and the complexity standards vary is really annoying. This is so bad that there is no way that I can remember most of my seldom used passwords. These are spread across multiple systems that do not get reset at the same time (differing client networks and such). One of these has such an egregious password requirement that I cannot have one that remotely makes sense (I just ended up slapping the keyboard randomly into a txt file and I now have to C+P the password in.
So the desire for massively complex and changing password has resulted in me keeping several txt files with my passwords listed by various accounts. Great security policy stuff this is.....
An apology from a bureaucrat for being too bureaucratic. Didn't realize such a beast existed.
There once was a man in NIST,
Whose advice was as useful as a cyst.
He started a password trend,
nonsense that would not end.
Better security from a phrase and a twist.
He was proposing a compromise between security and convenience.
My personal approach is to use completely random passwords, where the characters are chosen from the complete character set that the particular login allows. I have a different password for every different login I have. With password keepers or even the old-fashioned "write them on a piece of paper you keep in your wallet", this isn't an unworkable approach.
I don't cycle them on a regular basis, but every so often I get itchy about it cycle them. This happens about every other year.
Al Gore:
During my service in the United States Congress, I took the initiative in creating the Internet. I took the initiative in moving forward a whole range of initiatives that have proven to be important to our countryâ(TM)s economic growth and environmental protection, improvements in our educational system.
Vint Cerf and Bob Kahn:
Al Gore was the first political leader to recognize the importance of the Internet and to promote and support its development...as the two people who designed the basic architecture and the core protocols that make the Internet work, we would like to acknowledge VP Gore's contributions as a Congressman, Senator and as Vice President. No other elected official, to our knowledge, has made a greater contribution over a longer period of time.
source. I don't know why people were so gleeful to misrepresent Gore's words on the subject then, but it's just bizarre to hear it repeated here of all places nearly two decades later. Then again, you're also seemingly arguing that ARPANET wasn't a DoD project, so perhaps this confusion is expected.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
Wha? Are you daft? Setting an "at least" says NOTHING about how many you CAN have beyond that.
Neither does not having requirements.
You never had combinatorics in school, I take it?
Just a simple a requirement like "at least one upper case letter and one digit" reduces the number of possible combination to 2.3% of the original (for ASCII - for other character sets, the savings are even bigger).
That's a factor of over 34 in savings. And it goes downhill from there; the more complex and numerous the rules are, the fewer combinations have to be tried. This is a GREAT help for brute forcing, and programs like john the ripper can take advantage of it, turning a month or year long cracking session into a much shorter one.
As for minimum length, that penalizes those who would have choses a long password anyhow. If the minimum length is 10 characters, that's about 630,000,000,000,000,000 passwords eliminated that I don't have to try.
OK, he can eliminate a trivial part of the combinations, like UUUU and LLLL, but his life if not made "a lot easier".
More like enormously easier.