The Man Who Wrote the Password Rules Regrets Doing So

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

Cool of him.

[captaindomon]

I have to say that's really cool of him to come out and say that. Awesome for somebody to be able to admit they are wrong, as we are all wrong at different times. Way to go!

Re: Cool of him.

"I was wrong" is one of the most powerful things you can say. Many find it very difficult, but it becomes easier with practice. The people who would have the largest positive impact on the world by saying this are politicians, but sadly they are also among the least likely to be able to say it.

Re: Cool of him.

[JohnFen]

Oh, hell, I'm wrong several times every day. Just like nearly 100% of the human population. I do often marvel, though, at how rare it is to hear someone face up to it.

Finding out that you're wrong is a moment to celebrate, not something to be embarrassed by. It marks a moment when you've become just a little less ignorant about something.

As the old saying goes, I've never learned anything from being right.

Re:Cool of him.

[decep]

I am not really disagreeing with you, but I do not think he was wrong. I mean, he is wrong *now*, but he was not wrong for 2003. Password security was atrocious in the late 90s.

Perhaps Bill Burr's password rules were more of an over-correction due to the piss-poor password management of the era.

Re:Cool of him.

[ozduo]

I thought I was wrong once, but then I realised I was mistaken.

Re:Cool of him.

[93+Escort+Wagon]

The real problem is that, in 2017, so many web sites and institutions are still forcing users to comply with the exact same set of 2003-era rules.

Re: Cool of him.

[ShanghaiBill]

In America, if you admit to making a mistake, your statement may be used against you in a lawsuit. It is best to consult with an attorney before making any admission.

Re: Cool of him.

The rules are kind of a good idea. At least they eliminate all the passwords that would fall to a brute force attack in under 5 minutes. This ensures an attacker must spend more than 5 minutes breaking in. The catch? Nobody is watching and you have literally years to keep guessing.
The problem is not password rules, the problem is there is no active security team looking over things anymore. It's all been "automated" except it hasn't...they just act like it has.

Re: Cool of him.

[F.Ultra]

That is because as a politician the public will never reward you for admitting that you where wrong, it will only be used by the opposition as a proof that you are always wrong.

Re:Cool of him.

[F.Ultra]

Well his rules that you should rotate your password was wrong both then and now.

Re: Cool of him.

[LunaticTippy]

I think you're misguided here. Most people will never be sued, so they are free to admit mistakes without repercussion. Then there are people who are never ever wrong who get sued constantly, many thousands of times. There is a certain President who comes to mind.

Re:Cool of him.

[kwbauer]

Because they aren't reading the current NIST recommendations. That is not the fault of NIST or Bill Burr. if we are going to say that something cannot have been good in its time because some people refuse to move beyond that, then we are in for a world of pain because we will do nothing more than enforce the status quo.

Re:Cool of him.

[AmiMoJo]

We seem to have a de-facto standard .js library for everything, except the most important security stuff like password validation and storage.

At least he can admit it

My university recently instituted this retarded system that we have to change every 90 days.
And they remember the last 5 or so hashes (one can only hope they don't remember the actual password), so you can't even switch back and forth.
Absolute bullshit.
I remember my dad just changed his every month and he just had MMYY at the end of every password.

Re:At least he can admit it

[zippthorne]

Exactly. It's not difficult to get passwords wrong, even Bruce Schneier is wrong about passwords - see his criticism of the XKCD method:

Re:At least he can admit it

[KeithIrwin]

By and large, though, the exact technique outlined in xkcd doesn't work. It's not enough bits of entropy. It's better than the approach it's comparing to, but the assumption of 1000 password guesses per second is not accurate for offline cracking, which is what we're worried about. A good password cracking rig can crack 100 billion passwords per second if they're encrypted using something like NTLM (which many Windows networks use in addition to their primary hash for backwards compatibility) or md5 or the SHA family. Only things like scrypt, bcrypt, and PBKDF are reasonable. If they don't use one of those (which for web sites you likely don't know), you should assume 100 billion guesses per second. And then instead of xkcd's approach resulting in 53 years to crack, the correct time is about a half an hour.

That said, we can fix that by increasing the number of words to five or six to be on the safe side. Once we do that, we have a reasonable margin of safety. So it's not that the approach can't be tweaked, but at the time Schneier was writing about this, it was clear that the approach as described could be cracked relatively quickly.

Sigh.

[ledow]

LONG PASSWORDS.

The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be compromised. If your system LETS you try trillions of passwords, it's game over whether you change every week or not.

Re:Sigh.

[vux984]

The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

Quite so.

Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

Sort of. Except averagte people aren't choosing random alphanuemeric passwords and adding a letter. They are choosing from common dictionary words; usually from lists of 2000 to 60,000 at best.
puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule.

Not changing your password every X days is also junk and leads to that one time you gave it to your assistant in 2003 because you were home sick still being valid and he still can login and check your messages even though your the VP of operations now and he's working with a competitor.

If your password hasn't been compromised in a reasonable time, it's not going to be compromised.

And if it has ever been compromised, then it stays compromised. That's not good either.

, it's game over whether you change every week or not.

It does keep your ex-assistant from 10 years ago out of your email though.

Re:Sigh.

[0100010001010011]

These annoying password rules are what prevent me from just using a hash as my password.

echo -n $SALT+$USERNAME+$URL | sha256sum makes some great long passwords.

Good brute force defense. Easy to remember and could be generated by hand if necessary.

Plus when a site gets hacked or stores passwords plain text my password is useless elsewhere.

Re:Sigh.

[Falos]

puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

This. correcthorsebatterystaple is a four-letter password in a bigger alphabet* without mods. Most of which offer little resilience gains for their complexity tax.

superman is a weak password
Sup3rm@n is equally weak, fuck your fucking retarded website
so0p!$erm^an is strong but has too much complexity tax

More recall tax means its going to be 1) reused more [the true pox] 2) forgotten more 2) changed less often 4) more likely to be written down, under keyboards, notecard, stickies. Mental recall is only good for N passwords with Z complexity, even less if you have to start all over again at F frequency.

rrrybgdts is a nursery rhyme. I will always advocate for passphrases. Does your child like spongebob and Bob the Builder? Don't use his birthday; wliapcwfi will never be in the tables. I find this to be the best resilience-complexity tradeoff possible.

*yes, I know, it's still resilient by being at the fourth power, but it's more abstract than phrases and more complexity tax = more bad practice. Get over the length hype, cracker tables don't give a fuck, no one brute forces past ~6 = wasted fucking lesson.

Re:Sigh.

[aberglas]

Nonsense.

Most people just put 1! at the end. And start with a captial letter.

Long passwords are better.

The reason for the rules, I've always assumed, is that many early systems did not accept more than 8 characters for a password, or silently truncated. I think early Unix did the latter. So long passwords were not possible.

Re:Sigh.

[ledow]

STOP PASSWORD SHARING.

If you need your assistant to see your email, adjust the permissions so he can.

And remove them when you're done. Or they are automatically removed when he's sacked and the account is disabled.

Password sharing is the dumbest way to give someone access. And a disciplinary offence in most places because it's counter to the data protection act.

Re:Sigh.

[Gunstick]

make it base64

echo -n $SALT+$USERNAME+$URL | openssl dgst -sha256 -binary | openssl enc -base64

upper, lower, numbers, special (the = sign), long

Re:Sigh.

[houghi]

Passwords and the changes are a technical solution to a social problem.

The thing is that people treat these password suggestions as if there is only one username and one password. If that where the case, it would be a great idea. The thing is that we all have more than 1 login.

Just looking at logins and I have several. If I was able to select them myself, they are mostly the same, but then there are the other ones that where given to me. So I need to remember what login or email address I used for what. I once counted and came to 17 different logins.

Next to that I need to remember around hundred passwords (I include pin codes as well as phones) and none of them should be the same as any other? Some I might use only once per year (like for my domain name) .

So I do not only have to know 101 phrases, I also have to know what login it belongs to and to what site or door or phone or pin.

So instead I have made several passwords
1) Email This is the highest security as this is the key to recovery of the rest. I use the around 20 characters.
2) Home system.
3) Banking
4) Trusted stores/sites
5) Not so trusted places
6) Work

Next to that I use different logins for different sites in 3 and 4. e.g. slashdot.org@example.com That way I will know if a mail comes from the site or not and I also know what the login is by visiting the site.

So the issue is not remembering once single password and login combination. The problem is to remember many of them.

I am sure all people here are able to do it. I am not. And I am one of the people who understands this and thinks about it. The other problem is that many people in IT do not. They just cover their own ass and look at numbers and chance and change of password and in no way factor in the humans and their behavior. By forgetting them they make the security chain as weak as the weakest link, but they get to blame others.

Re:Sigh.

[AmiMoJo]

We focus too much on coming up with strong passwords, when we should really be focusing on what the actual threats to those passwords are.

For online services the biggest danger is that someone will steal the password database and crack the password hashes, assuming they even are hashed. The best defence is therefore to use a long, random password and keep it in a password manager. It's also fine to let your browser remember it for you, if your computer is reasonably secure.

Now you only need to remember a couple of really strong passwords for your password manager and your machines. Ideally you can use two factor auth for those things too (Keepass supports this, as does VeraCrypt).

Obligatory XKCD

[jcochran]

Those who require passwords really ought to take a look at it.

https://xkcd.com/936/

Re:Obligatory XKCD

[Biogoly]

Dictionary based passwords such as correcthorsebatterystaple (chbs) are definitely along the right track...however, XKCD actually gets it wrong here. If you disregard web-based attack and are just talking hash-cracking, chbs is actually a trivially easy password to crack...even with hashes much slower than MD5 (but not bcrypt slow). All four words in chbs are found in the wiki top 10k words lists...so if you utilize a dictionary combination attack and set for four words, it would take a maximum of 10000^4 guesses (10^15) to crack the hash. That sounds like a lot, but a modern cracking rig could exhaust all of those possibilities in as little as half a day depending on the encryption used. Adding uppercase letters would make it significantly more difficult, but even that could be accounted for by adding rules. The most important aspect of a good dictionary based password is source and randomness. For example, if taking four RANDOM words from the OED with something like 170k total words, it would take 8.35 x 10^20 guesses...which would take the equivalent cracking rig over 120 years. If it's five words you are talking millions of years. So just because you have a long password that contains multiple words doesn't mean you're any better off...it has to be random and come from a sufficiently large source.

Crock of Sh*#!

[s.petry]

This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time.

Password enforcement was a constant problem 20-30 years ago, but we all had policies.

The short duration of a password was not some arbitrary number based on "mah ego", it was based on a majority of systems which could not handle a password longer than 8 characters.

I didn't invent the password policy, but by this claim I sure as hell could.

Oh, and password policies are as important today as they were back then. Go ahead and claim your fingerprints are fool proof!

Not clearly stating password requirements UP FRONT

[Traf-O-Data-Hater]

My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front. So it only tells you after you've entered something you think may be acceptable, and you've then lost that train of thought and are forced to figure out something new.

Re:1 letter change

[93+Escort+Wagon]

Here is your current password: Pzssw0rd1

(Don't worry - while you'll see your password in plain text there, all the other Slashdotters will see a string of asterisks like this: *********)

This is not news to many sysadmins

[chispito]

This is not a news to many sysadmins. Some of our managers even get it as well.

None of that matters in the face of regulatory compliance.

Re:Not clearly stating password requirements UP FR

[GodfatherofSoul]

I'm more annoyed when sites require passwords that aren't in line with the kind of data they're holding. I don't want to have to remember a banking-safe password when I'm trying to log into a fart jokes website.

Bill Burr...

[zm]

...also suggested using cruise ships for population control.

Finally

[markdavis]

I have had to fight our auditors every year for decades about stupid password ageing rules. I refused to implement them and said it would LOWER security while simultaneously pissing off users and lowering productivity. Each year I added more references to articles from people who agreed with me, just in case.

Maybe now they will finally believe me?

Reject new PW if too similar?

[WoodstockJeff]

5 years ago, our client insisted that we implement this sort of mischief on one site, with a 30-day change rule. One of the requirements was to check that the new password was not previously used or too similar to a previously-used PW.

"How does that work when you also tell us we cannot save the PW in plain text?"

To their credit, they admitted that it wasn't possible to comply with all the rules. But they have not yet relented on the 30 day change rule.

Which bit them big time during one of their security sweeps - the PW for the scanner's account "expired" part way through the testing. The subsequent lock-out for excessive failed login attempts was then interpreted as "server becomes unresponsive if excessive characters are injected at login." (we'll accept up to 32MB for passwords)

Re:Reject new PW if too similar?

[F.Ultra]

So they never saw any problems with "check that the new password was not previously used or too similar to a previously-used PW" besides the non plain text storage? Best solution would of course to go one step further:

"You have entered the password "sdfsdfwefjsfj", unfortunately this is already used by user "charlie23" so please choose a different one".

Re:Reject new PW if too similar?

[flink]

Couldn't you just encrypt the plain text password history using a key derived from the current password? Then when attempting to change the password, you use the old password to decrypt the list and compare the desired new password to the history file using whatever likeness algorithm you like. If the new password turns out to be acceptable, re-encrypt the history using a new PBK based on the new password.

Re:Reject new PW if too similar?

So it's easy! You must change password every 30 days, and to do so, you must type your previous 19 passwords.

measuring policy complexity

[roc97007]

I strongly suspect that one way to measure how onerous the password policy is in a particular environment is to go through the office flipping up keyboards. The metric would be as a percentage of yellow stickies with passwords stuck underneath. You could weight the metric by the size of the penalty for writing down your password.

Re:Not clearly stating password requirements UP FR

[F.Ultra]

Or sites where they accept an unlimited length in the setup but silently truncates to some arbitrary length and then when on the login page they accept an unlimited length again but this time compares your entered password with the truncated one and you get a mismatch even with copy+paste. Have stumbled on a few of those.

Re:P055word!1

[kwbauer]

Which means that you work system is storing your password in a recoverable form which is an even worse situation than having meaningless complex rules about what a password can look like.

Bill Burr?

[blind+biker]

HIs password policies suck. No wonder he changed careers.

Re:Not clearly stating password requirements UP FR

[Green+Salad]

Those of us interested in tracking every detail of your single-purchase behaviors...then selling that info to another entity...strongly disagree that there isn't a need to force you to voluntarily register and create an account. Despite your tone indicating that you disagree with this practice, our records clearly show you clicked "I agree."

Re:Not clearly stating password requirements UP FR

[El+Cubano]

Yet more annoying is sites that prevent you from Control-V paste or middle-click paste. Come on! I want to be able to generate a 32 or 64 character gobbledygook password in KeePass and just paste it in there.

Some sites screw it up and prevent either Control-V or middle-click, but not both. But those are rare. Seriously, web developers, it doesn't help anybody to prevent pasting into a password field.

The worst was one financial-related site that I had to use that not only did not allow you paste into the password field, it would not even let you type into the password field. It would present an on-screen keyboard (using JavaScript) with the letters and numbers all scrambled around. Take about practically forcing people to write down their passwords. (To me a decent password is one that I can only enter by muscle memory; as in, I could not actually tell you the password itself even if my life depended on it).