Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com)

Posted by BeauHD on from the regretful-thinking dept.

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

4 of 239 comments (clear)

  1. Re:Cool of him. by ozduo · · Score: 4, Funny

    I thought I was wrong once, but then I realised I was mistaken.

    --
    I got to the chocolate box before you, that's why the hard ones have teeth marks.
  2. Re:1 letter change by 93+Escort+Wagon · · Score: 3, Funny

    Here is your current password: Pzssw0rd1

    (Don't worry - while you'll see your password in plain text there, all the other Slashdotters will see a string of asterisks like this: *********)

    --
    #DeleteChrome
  3. Re:Reject new PW if too similar? by F.Ultra · · Score: 5, Funny

    So they never saw any problems with "check that the new password was not previously used or too similar to a previously-used PW" besides the non plain text storage? Best solution would of course to go one step further:

    "You have entered the password "sdfsdfwefjsfj", unfortunately this is already used by user "charlie23" so please choose a different one".

  4. Re:Reject new PW if too similar? by Anonymous Coward · · Score: 2, Funny

    So it's easy! You must change password every 30 days, and to do so, you must type your previous 19 passwords.