Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com)

Posted by BeauHD on from the regretful-thinking dept.

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

9 of 239 comments (clear)

  1. Cool of him. by captaindomon · · Score: 5, Insightful

    I have to say that's really cool of him to come out and say that. Awesome for somebody to be able to admit they are wrong, as we are all wrong at different times. Way to go!

    --
    Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    1. Re: Cool of him. by Anonymous Coward · · Score: 5, Insightful

      "I was wrong" is one of the most powerful things you can say. Many find it very difficult, but it becomes easier with practice. The people who would have the largest positive impact on the world by saying this are politicians, but sadly they are also among the least likely to be able to say it.

    2. Re: Cool of him. by JohnFen · · Score: 5, Insightful

      Oh, hell, I'm wrong several times every day. Just like nearly 100% of the human population. I do often marvel, though, at how rare it is to hear someone face up to it.

      Finding out that you're wrong is a moment to celebrate, not something to be embarrassed by. It marks a moment when you've become just a little less ignorant about something.

      As the old saying goes, I've never learned anything from being right.

    3. Re:Cool of him. by 93+Escort+Wagon · · Score: 4, Insightful

      The real problem is that, in 2017, so many web sites and institutions are still forcing users to comply with the exact same set of 2003-era rules.

      --
      #DeleteChrome
    4. Re: Cool of him. by Anonymous Coward · · Score: 2, Insightful

      The rules are kind of a good idea. At least they eliminate all the passwords that would fall to a brute force attack in under 5 minutes. This ensures an attacker must spend more than 5 minutes breaking in. The catch? Nobody is watching and you have literally years to keep guessing.
      The problem is not password rules, the problem is there is no active security team looking over things anymore. It's all been "automated" except it hasn't...they just act like it has.

  2. Not clearly stating password requirements UP FRONT by Traf-O-Data-Hater · · Score: 5, Insightful

    My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front. So it only tells you after you've entered something you think may be acceptable, and you've then lost that train of thought and are forced to figure out something new.

  3. measuring policy complexity by roc97007 · · Score: 4, Insightful

    I strongly suspect that one way to measure how onerous the password policy is in a particular environment is to go through the office flipping up keyboards. The metric would be as a percentage of yellow stickies with passwords stuck underneath. You could weight the metric by the size of the penalty for writing down your password.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  4. Re:Obligatory XKCD by freeze128 · · Score: 1, Insightful

    ...and *NOT* implement that scheme! Hackers are already using 4-word dictionary attacks. (They read xkcd as well.)

  5. Re:Sigh. by ledow · · Score: 3, Insightful

    STOP PASSWORD SHARING.

    If you need your assistant to see your email, adjust the permissions so he can.

    And remove them when you're done. Or they are automatically removed when he's sacked and the account is disabled.

    Password sharing is the dumbest way to give someone access. And a disciplinary offence in most places because it's counter to the data protection act.