Technology

Oops: Those P@$sw0rd Rules Were All Wrong

By Virge Thursday, August 17, 2017 4 Comments Share This:

If creating and remembering passwords has become increasingly annoying (and difficult), Bill Burr would like to apologize.

Burr was the person who proposed that passwords have at least eight capital and lower case letters, numbers and special characters back in 2003, when he was a manager at the National Institute of Standards and Technology. Websites fell in line, requiring you to dive into password hell coming up with impossible to recall character stews—which, by the way, you were supposed to change at least every 90 days and not keep on a Post It.

In the 15 years since, the need for passwords, each one different and all of them complex, has grown like kudzu across cyberspace. Almost anything you want to do online—get email, join a group, look for work, bank, shop—requires you to come up with some new combination of numbers, letters and symbols. And then remember them all.

Burr waited until he retired at age 72 to say “Whoops, My bad,” telling the Wall Street Journal last week that he regretted both the recommendation for passwords to use a combination of numbers, capital and small letters, and special characters, as well as the advice to change passwords frequently.

Those complex passwords, it turns out, are easier to crack than simpler ones.

As the popular comic below shows, hacking software can easily decode an eight-character-long combination of letters, numbers and symbols like “Tr0ub4dor&3” in about three days, but a long sequence of random words known only to you, such as “correct horse battery staple,” would take 550 years.

password-comic

A longer string has more ‘bits of entropy,” meaning more possible combinations that take more time to crack.

And 8-character word isn’t just shorter; it’s also fairly predictable because most people, in an attempt to stay above water, will use the @ sign for “a,” a zero for “o”and an exclamation point for “i.”

“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr told the Wall Street Journal.

New National Institute of Standards and Technology were published in June. They recommend a random phrase of at least four words that make no sense together. Probably best not to use “correct horse battery staple”—or “password password password password.”

“Much of what I did I now regret,” Burr said.

You bet!

Drawing: XKCD, CC 2.5

COMMENTS

4 responses to “Oops: Those P@$sw0rd Rules Were All Wrong”

~ Nona:

Saturday, August 18, 2018 at 11:34am

A line of poetry — a favorite obscure poem, especially — is easy to remember. However, I’m finding that sites demand following all those $%#%$# password “rules”.

Maddening.

Reply to ~ Nona
Patrick Mac Kinnon:

Friday, March 9, 2018 at 2:24pm

A password is not me. When passwords originated, that is ‘halt, who goes there?’ It didn’t have to
offer your name. Just a word which had been given it by a group member, but not by yourself. Anyone answering in
those days didn’t place all of his worldly goods in peril from theft. How do people like Burr get
into positions where they don’t see the difference and cause, and continue to cause, all of this
grief which is fiercely defended by his converts?

There is are only a few that merit the protection of true secrecy and require no lists be kept.
First is your DNA, then fingerprints and also iris patterns. Of course anyone who has access to a
national; database and is that interested can in theory ferret it out. But such searches can themselves
be traced back to the evil one unlike current ‘passwords’.

Reply to Patrick Mac Kinnon
Lucille Porter:

Friday, August 25, 2017 at 6:18pm

Some sites demand a format, e.g. eight characters with at least one upper case and one symbol.

Reply to Lucille Porter
Rob:

Tuesday, August 22, 2017 at 2:39pm

Wow, a revelation. I have an IT degree, but I bowed the knee to the experts while wondering how does capitalizing the first letter make my password so much more secure? Or breaking up a word with punctuation? Some, but not much. It stops a quick “dictionary” lookup. But now I remember 15 years ago trying to get into an old zip file I created with a password. I downloaded a freeware app to crack it. But the freeware version would only crack a password up to 5 characters long. You had to pay to get more than that. So it seems the most important factor is length. So I should abandon my “street name plus birth year” passwords or “abc123…” and go with “DontSitUndertheAppleTreeWithAnyoneElseButMe” Lol. Or scratch that… the thieves will come up with a favorite song lyrics database to crack those. How about “ISawtheEclipseYesterdayNowIHaveaBlindspot?”

Reply to Rob