Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com)

Posted by BeauHD on from the regretful-thinking dept.

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

20 of 239 comments (clear)

  1. Cool of him. by captaindomon · · Score: 5, Insightful

    I have to say that's really cool of him to come out and say that. Awesome for somebody to be able to admit they are wrong, as we are all wrong at different times. Way to go!

    --
    Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
    1. Re: Cool of him. by Anonymous Coward · · Score: 5, Insightful

      "I was wrong" is one of the most powerful things you can say. Many find it very difficult, but it becomes easier with practice. The people who would have the largest positive impact on the world by saying this are politicians, but sadly they are also among the least likely to be able to say it.

    2. Re: Cool of him. by JohnFen · · Score: 5, Insightful

      Oh, hell, I'm wrong several times every day. Just like nearly 100% of the human population. I do often marvel, though, at how rare it is to hear someone face up to it.

      Finding out that you're wrong is a moment to celebrate, not something to be embarrassed by. It marks a moment when you've become just a little less ignorant about something.

      As the old saying goes, I've never learned anything from being right.

    3. Re:Cool of him. by ozduo · · Score: 4, Funny

      I thought I was wrong once, but then I realised I was mistaken.

      --
      I got to the chocolate box before you, that's why the hard ones have teeth marks.
    4. Re:Cool of him. by 93+Escort+Wagon · · Score: 4, Insightful

      The real problem is that, in 2017, so many web sites and institutions are still forcing users to comply with the exact same set of 2003-era rules.

      --
      #DeleteChrome
    5. Re: Cool of him. by ShanghaiBill · · Score: 5, Interesting

      In America, if you admit to making a mistake, your statement may be used against you in a lawsuit. It is best to consult with an attorney before making any admission.

  2. At least he can admit it by Anonymous Coward · · Score: 3, Interesting

    My university recently instituted this retarded system that we have to change every 90 days.
    And they remember the last 5 or so hashes (one can only hope they don't remember the actual password), so you can't even switch back and forth.
    Absolute bullshit.
    I remember my dad just changed his every month and he just had MMYY at the end of every password.

    1. Re:At least he can admit it by zippthorne · · Score: 4, Informative

      Exactly. It's not difficult to get passwords wrong, even Bruce Schneier is wrong about passwords - see his criticism of the XKCD method:

      --
      Can you be Even More Awesome?!
  3. Sigh. by ledow · · Score: 5, Interesting

    LONG PASSWORDS.

    The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

    Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

    And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be compromised. If your system LETS you try trillions of passwords, it's game over whether you change every week or not.

    1. Re:Sigh. by vux984 · · Score: 4, Interesting

      The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

      Quite so.

      Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

      Sort of. Except averagte people aren't choosing random alphanuemeric passwords and adding a letter. They are choosing from common dictionary words; usually from lists of 2000 to 60,000 at best.
      puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

      And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule.

      Not changing your password every X days is also junk and leads to that one time you gave it to your assistant in 2003 because you were home sick still being valid and he still can login and check your messages even though your the VP of operations now and he's working with a competitor.

      If your password hasn't been compromised in a reasonable time, it's not going to be compromised.

      And if it has ever been compromised, then it stays compromised. That's not good either.

      , it's game over whether you change every week or not.

      It does keep your ex-assistant from 10 years ago out of your email though.

    2. Re:Sigh. by 0100010001010011 · · Score: 4, Interesting

      These annoying password rules are what prevent me from just using a hash as my password.

      echo -n $SALT+$USERNAME+$URL | sha256sum makes some great long passwords.

      Good brute force defense. Easy to remember and could be generated by hand if necessary.

      Plus when a site gets hacked or stores passwords plain text my password is useless elsewhere.

    3. Re:Sigh. by Falos · · Score: 3, Interesting

      puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

      This. correcthorsebatterystaple is a four-letter password in a bigger alphabet* without mods. Most of which offer little resilience gains for their complexity tax.

      superman is a weak password
      Sup3rm@n is equally weak, fuck your fucking retarded website
      so0p!$erm^an is strong but has too much complexity tax

      More recall tax means its going to be 1) reused more [the true pox] 2) forgotten more 2) changed less often 4) more likely to be written down, under keyboards, notecard, stickies. Mental recall is only good for N passwords with Z complexity, even less if you have to start all over again at F frequency.

      rrrybgdts is a nursery rhyme. I will always advocate for passphrases. Does your child like spongebob and Bob the Builder? Don't use his birthday; wliapcwfi will never be in the tables. I find this to be the best resilience-complexity tradeoff possible.

      *yes, I know, it's still resilient by being at the fourth power, but it's more abstract than phrases and more complexity tax = more bad practice. Get over the length hype, cracker tables don't give a fuck, no one brute forces past ~6 = wasted fucking lesson.

    4. Re:Sigh. by ledow · · Score: 3, Insightful

      STOP PASSWORD SHARING.

      If you need your assistant to see your email, adjust the permissions so he can.

      And remove them when you're done. Or they are automatically removed when he's sacked and the account is disabled.

      Password sharing is the dumbest way to give someone access. And a disciplinary offence in most places because it's counter to the data protection act.

  4. Obligatory XKCD by jcochran · · Score: 4, Interesting

    Those who require passwords really ought to take a look at it.

    https://xkcd.com/936/

  5. Not clearly stating password requirements UP FRONT by Traf-O-Data-Hater · · Score: 5, Insightful

    My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front. So it only tells you after you've entered something you think may be acceptable, and you've then lost that train of thought and are forced to figure out something new.

  6. Re:1 letter change by 93+Escort+Wagon · · Score: 3, Funny

    Here is your current password: Pzssw0rd1

    (Don't worry - while you'll see your password in plain text there, all the other Slashdotters will see a string of asterisks like this: *********)

    --
    #DeleteChrome
  7. Reject new PW if too similar? by WoodstockJeff · · Score: 5, Interesting

    5 years ago, our client insisted that we implement this sort of mischief on one site, with a 30-day change rule. One of the requirements was to check that the new password was not previously used or too similar to a previously-used PW.

    "How does that work when you also tell us we cannot save the PW in plain text?"

    To their credit, they admitted that it wasn't possible to comply with all the rules. But they have not yet relented on the 30 day change rule.

    Which bit them big time during one of their security sweeps - the PW for the scanner's account "expired" part way through the testing. The subsequent lock-out for excessive failed login attempts was then interpreted as "server becomes unresponsive if excessive characters are injected at login." (we'll accept up to 32MB for passwords)

    1. Re:Reject new PW if too similar? by F.Ultra · · Score: 5, Funny

      So they never saw any problems with "check that the new password was not previously used or too similar to a previously-used PW" besides the non plain text storage? Best solution would of course to go one step further:

      "You have entered the password "sdfsdfwefjsfj", unfortunately this is already used by user "charlie23" so please choose a different one".

    2. Re:Reject new PW if too similar? by flink · · Score: 4, Interesting

      Couldn't you just encrypt the plain text password history using a key derived from the current password? Then when attempting to change the password, you use the old password to decrypt the list and compare the desired new password to the history file using whatever likeness algorithm you like. If the new password turns out to be acceptable, re-encrypt the history using a new PBK based on the new password.

  8. measuring policy complexity by roc97007 · · Score: 4, Insightful

    I strongly suspect that one way to measure how onerous the password policy is in a particular environment is to go through the office flipping up keyboards. The metric would be as a percentage of yellow stickies with passwords stuck underneath. You could weight the metric by the size of the penalty for writing down your password.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.