The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com)

← Back to Stories (view on slashdot.org)

The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com)

Posted by BeauHD on Tuesday August 8, 2017 @10:10AM from the regretful-thinking dept.

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

9 of 239 comments (clear)

Min score:

Reason:

Sort:

At least he can admit it by Anonymous Coward · 2017-08-08 10:19 · Score: 3, Interesting

My university recently instituted this retarded system that we have to change every 90 days.
And they remember the last 5 or so hashes (one can only hope they don't remember the actual password), so you can't even switch back and forth.
Absolute bullshit.
I remember my dad just changed his every month and he just had MMYY at the end of every password.
Sigh. by ledow · 2017-08-08 10:26 · Score: 5, Interesting

LONG PASSWORDS.
The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.
Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.
And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be compromised. If your system LETS you try trillions of passwords, it's game over whether you change every week or not.
1. Re:Sigh. by vux984 · 2017-08-08 11:38 · Score: 4, Interesting
  
  The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.
  Quite so.
  
  Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.
  Sort of. Except averagte people aren't choosing random alphanuemeric passwords and adding a letter. They are choosing from common dictionary words; usually from lists of 2000 to 60,000 at best.
  puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.
  
  And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule.
  
  Not changing your password every X days is also junk and leads to that one time you gave it to your assistant in 2003 because you were home sick still being valid and he still can login and check your messages even though your the VP of operations now and he's working with a competitor.
  
  If your password hasn't been compromised in a reasonable time, it's not going to be compromised.
  And if it has ever been compromised, then it stays compromised. That's not good either.
  
  , it's game over whether you change every week or not.
  It does keep your ex-assistant from 10 years ago out of your email though.
2. Re:Sigh. by 0100010001010011 · 2017-08-08 12:09 · Score: 4, Interesting
  
  These annoying password rules are what prevent me from just using a hash as my password.
  echo -n $SALT+$USERNAME+$URL | sha256sum makes some great long passwords.
  Good brute force defense. Easy to remember and could be generated by hand if necessary.
  Plus when a site gets hacked or stores passwords plain text my password is useless elsewhere.
3. Re:Sigh. by Falos · 2017-08-08 12:41 · Score: 3, Interesting
  
  puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.
  This. correcthorsebatterystaple is a four-letter password in a bigger alphabet* without mods. Most of which offer little resilience gains for their complexity tax.
  superman is a weak password
  Sup3rm@n is equally weak, fuck your fucking retarded website
  so0p!$erm^an is strong but has too much complexity tax
  More recall tax means its going to be 1) reused more [the true pox] 2) forgotten more 2) changed less often 4) more likely to be written down, under keyboards, notecard, stickies. Mental recall is only good for N passwords with Z complexity, even less if you have to start all over again at F frequency.
  rrrybgdts is a nursery rhyme. I will always advocate for passphrases. Does your child like spongebob and Bob the Builder? Don't use his birthday; wliapcwfi will never be in the tables. I find this to be the best resilience-complexity tradeoff possible.
  *yes, I know, it's still resilient by being at the fourth power, but it's more abstract than phrases and more complexity tax = more bad practice. Get over the length hype, cracker tables don't give a fuck, no one brute forces past ~6 = wasted fucking lesson.
Obligatory XKCD by jcochran · 2017-08-08 10:27 · Score: 4, Interesting

Those who require passwords really ought to take a look at it.
https://xkcd.com/936/
Re: Cool of him. by ShanghaiBill · 2017-08-08 10:52 · Score: 5, Interesting

In America, if you admit to making a mistake, your statement may be used against you in a lawsuit. It is best to consult with an attorney before making any admission.
Reject new PW if too similar? by WoodstockJeff · 2017-08-08 11:03 · Score: 5, Interesting

5 years ago, our client insisted that we implement this sort of mischief on one site, with a 30-day change rule. One of the requirements was to check that the new password was not previously used or too similar to a previously-used PW.
"How does that work when you also tell us we cannot save the PW in plain text?"
To their credit, they admitted that it wasn't possible to comply with all the rules. But they have not yet relented on the 30 day change rule.
Which bit them big time during one of their security sweeps - the PW for the scanner's account "expired" part way through the testing. The subsequent lock-out for excessive failed login attempts was then interpreted as "server becomes unresponsive if excessive characters are injected at login." (we'll accept up to 32MB for passwords)
1. Re:Reject new PW if too similar? by flink · 2017-08-08 13:46 · Score: 4, Interesting
  
  Couldn't you just encrypt the plain text password history using a key derived from the current password? Then when attempting to change the password, you use the old password to decrypt the list and compare the desired new password to the history file using whatever likeness algorithm you like. If the new password turns out to be acceptable, re-encrypt the history using a new PBK based on the new password.