Password "rules" creator says he was mistaken


Bill Burr was a manager at the National Institute of Standards and Technology in 2003 when he created a guide on how to create passwords that were more secure than your average version. Mr Burr, now 72 and retired, said: 'Much of what I did I now regret. Burr suggested the numbers-letters-special character combo in an eight-page manifesto titled "NIST Special Publication 800-63". As it turns out, one of the writers of a document that has been used to create password policy for years says the suggestions he laid down are no longer valid.

For example, something like "Pa55word!" follows Burr's guidelines but isn't very secure and is very easy to guess.

Burr's original guidelines were published almost 15 years ago, when he worked at the National Institute of Standards and Technology.

Under the new guidance, admins responsible for verifying newly created password are advised to check them against passwords exposed in previous breaches, dictionary words, receptive and sequential characters, and words containing the name of the user or service. What they're recommending now is to use long but easy-to-remember phrases as your password and only change them if there are any signs that they may have been stolen and you've been hacked. In practice this tends to result in users making simple modifications to their password, such as changing "1ns$ecure1" to "1ns$ecure2".

Burr wanted to base his guidelines on real world data, but not much data was available at the time.

More news: Police investigate crime scene at daycare
More news: England to show enviable squad depth against Spain
More news: Lifestage, the Facebook App You Didn't Know Existed, Has Met Its End

Coming up with a new password is probably one of the most mundane and annoying things a person has to do in their everyday life. And changing passwords every 90 days didn't help much either, especially if the change was only a slight one, the WSJ said.

In order to authentic yourself to systems, you are required to enter a password.

Bill Burr was working for the USA government when he came up with guidelines in 2003. "The rules make it harder for you to remember what your password is", she said.

A xkcd comic by Randall Munroe from August 2011 shows that figuring out the password "Tr0ub4dor&3" would take three days to solve, according to the cartoonist's calculations, compared to the words "correct horse battery staple" typed as a single word, which would take a staggering 550 years to solve. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.