Link to Article

Bill Burr’s 2003 report recommended using numbers, obscure characters and capital letters and updating regularly—he regrets the error

The man who wrote the book on password management has a confession to make: He blew it.

The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.

Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.

“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.

In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments. Paul Grassi, an NIST standards-and-technology adviser who led the two-year-long do-over, said the group thought at the outset the document would require only a light edit.

“We ended up starting from scratch,” Mr. Grassi said.

The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security—they “actually had a negative impact on usability,” he said.

Long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S.

Amy LaMere had long suspected she was wasting her time with the hour a month it takes to keep track of the hundreds of passwords she has to juggle for her job as a client-resources manager with a trade-show-display company in Minneapolis. “The rules make it harder for you to remember what your password is,” she said. “Then you have to reset it and it just makes it take longer.”

When informed that password advice is changing, however, she wasn’t outraged. Instead, she said it just made her feel better. “I’m right,” she said of the previous rules. “It just doesn’t make sense.”

Academics who have studied passwords say using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers.

In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

Mr. Burr, who once programmed Army mainframe computers during the Vietnam War, had wanted to base his advice on real-world password data. But back in 2003, there just wasn’t much to find, and he said he was under pressure to publish guidance quickly.

He asked the computer administrators at NIST if they would let him have a look at the actual passwords on their network. They refused to share them, he said, citing privacy concerns.
“They were appalled I even asked,” Mr. Burr said.

With no empirical data on computer-password security to be found, Mr. Burr leaned heavily on a white paper written in the mid-1980s—long before consumers bought DVDs and cat food online.
The published guidelines were the best he could do.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Mr. Burr.

Nevertheless, NIST’s password advice became widely influential, not just within the federal government but on corporate networks, websites and mobile devices.

Collectively, humans spend the equivalent of more than 1,300 years each day typing passwords, according to Cormac Herley, a principal researcher at Microsoft Corp. His company once followed the Burr code for passwords, but no more.

The biggest argument against Mr. Burr’s prescriptions: they haven’t worked well. “It just drives people bananas and they don’t pick good passwords no matter what you do,” Mr. Burr said.

The past decade has seen a data-breach boom. Hackers have stolen and posted online hundreds of millions of passwords from companies such as MySpace, LinkedIn and Gawker Media.

Those postings have given researchers the data they need to take a hard look at how people’s passwords fare against the tools hackers used to break them. Their conclusion? While we may think our passwords are clever, they aren’t. We tend to gravitate toward the same old combinations over and over.

Back in 2003, Mr. Burr didn’t have the data to understand this phenomenon. Today, it is obvious to people like Lorrie Faith Cranor. After years of studying terrible concoctions, she put 500 of the most commonly used passwords on a blue and purple shift dress she made and wore to a 2015 White House cybersecurity summit at Stanford University.

Adorned with the world’s most common passwords—princess, monkey, iloveyou and others that are unprintable here—the dress has prompted careful study, and embarrassment.

“I’ve had people look at it and they’re like, ‘Oh, I’d better go change my passwords,’ ” said Ms. Cranor, a professor at Carnegie Mellon University.

The NIST rules were supposed to give us randomness. Instead they spawned a generation of widely used and goofy looking passwords such as Pa$$w0rd or Monkey1! “It’s not really random if you and 10,000 other people are doing it,” said Mr. Herley, the Microsoft researcher.

Mr. Grassi, who rewrote NIST’s new password guidelines, thinks his former colleague Mr. Burr is being a little bit hard on himself over his 2003 advice.

“He wrote a security document that held up for 10 to 15 years,” Mr. Grassi said. “I only hope to be able to have a document hold up that long.”

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Why does he regret it for those w/o WSJ subscriptions?

quote:

Originally posted by Skins2881:
Why does he regret it for those w/o WSJ subscriptions?

Fixed. On my iPhone I have access to the full WSJ article but on my computer I do not.

So I had to copy / paste on my iPhone to my cloud notebook. Then on my computer, copy/paste from the notebook to the forum. Then add paragraph breaks.

Nothing in that article is new. I've been using phrases for years. Much easier to remember.

Maybe now companies will stop making you change them every few months. This was always one of the stupidest things around. It made people write down passwords instead of remembering them.

Problem with that article is that, at the time that old password composition guideline was created, most software wouldn't hash more than three first 8 characters of a password. So "correcthorsebatterystaple" would hash identically to "correcth", which would be weaker than "Tr0ub4do". Furthermore: The compute power available now was not, then.

The "change it every X days" thing has ever and always been counter-productive, IMO, and I never put such policies in place.

Well I only work as a volunteer now at one hospital, so the multiple systems I had to deal with before are gone for me. I use diceware: phrases made of words selected at random by throws of a dice, with an extra number thrown in.

I had thought before that if a password hacking program is running every combination of letters, number, and characters, then the longer the password, the better, and '^' sign shouldn't be any harder to guess than an 'A'. This article more or less validates that.

Thanks a lot ass. I have a few passwords that have worked for almost 20 years without getting hacked. No special characters, just letters and numbers.

quote:

Originally posted by Rey HRH:
In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

I've read this logic several times. What security admin worth his salt would let a PW to be tried for 3 days without locking the account? If you are locked out for 20 minutes after 10 invalid attempts, and then locked out permanently after 3 20 minute attempts, how would your PW ever be cracked?...Even if it was P@55W0rd?

I would bet that very few passwords are cracked. Most are stolen with key loggers, phishing schemes and other means.
Unless you use something really simple, like your name, address, birthday etc. it would take way too much time to bother.

quote:

Originally posted by iron chef:
I had thought before that if a password hacking program is running every combination of letters, number, and characters, then the longer the password, the better, and '^' sign shouldn't be any harder to guess than an 'A'. This article more or less validates that.

Except another thing the article misses on was the reason for the original guidelines. It wasn't to thwart or slow automated (aka: brute force) cracking mechanisms, but easy password guessing. I was once helping a user out. Whatever was the problem, it required he log out and back in repeatedly. I wasn't watching his hands on the keyboard, per se, but, after so many repetitions, I couldn't miss it. I looked at him and said "Please tell me your password isn't ``bob1``?"

It was.

The mixed-case and symbol things were to help prevent that kind of thing.

I've had 8-character passwords that followed guidelines similar to the old recommendations that had been in-use for over a decade. No accounts that had such passwords were ever compromised, to the best of my knowledge, nor did any cracking mechanism I ran against them ever crack them--even after running for, literally, days.

What the long pass-phrase "passwords" seek to defeat are password-cracking server farms that utilize multiple GPUs per machine.

As an computer security guy, I've long held this, that the password requirements were just bad.

I'm more annoyed at other computer security types, who hold onto these idiotic rules as religious dogma.

Some of the current thinking is good: Three words. Not 4 like the cartoon, but three is a good compromise. So something like "Sig.Sauer.Guns" works well.

quote:

Originally posted by ensigmatic:
Problem with that article is that, at the time that old password composition guideline was created, most software wouldn't hash more than three first 8 characters of a password. So "correcthorsebatterystaple" would hash identically to "correcth", which would be weaker than "Tr0ub4do". Furthermore: The compute power available now was not, then.

The "change it every X days" thing has ever and always been counter-productive, IMO, and I never put such policies in place.

Yep.

It's all about increasing the search space for anyone trying to crack passwords.

When systems could/did only effectively 'use' up to an 8 character password, you do your best by using as much of the character set as possible - so upper, lower, numeric, punctuation/special chars.

Now that systems can make use of longer passwords/pass phrases, you should do that. It works better.

The old guidelines weren't wrong, exactly, they're just obsolete.

quote:

Originally posted by 220-9er:
I would bet that very few passwords are cracked. Most are stolen with key loggers, phishing schemes and other means.
Unless you use something really simple, like your name, address, birthday etc. it would take way too much time to bother.

You would llikely lose that bet.

A dictionary attack, especially one that includes all normal substitutions (0 for O, $ for S, and oodles of others that are extremely well known) is very fast, and if the system doesn't lock you out quickly enough it can run through a gazillion tries in no time.

Although, social engineering and basic research uncovers most, I'd bet, and - once they're in your primary email account they likely have access to many other things and tidbits.

Many are lazy and uncreative, too. If your dog's name is Freddie and you talk about him all over Facebook or forums like this and you think MyD0gFr3dd!3 is good enough - it isn't.

Still, the rules have long been overdone and for the wrong reasons.

quote:

Originally posted by 1967Goat:

quote:

Originally posted by Rey HRH:
In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3—a typical example of a password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

I've read this logic several times. What security admin worth his salt would let a PW to be tried for 3 days without locking the account? If you are locked out for 20 minutes after 10 invalid attempts, and then locked out permanently after 3 20 minute attempts, how would your PW ever be cracked?...Even if it was P@55W0rd?

Anyone know the answer to this? I've never understood how a hacker tries 12.85 billion combinations. I always get locked out after 3-5 attempts.

In the early 90s, a coworker who was not computer savvy at all and didn't want to be bothered learning it asked me to help set up her account including her password. She specifically asked help with her password.

So I did. The password I set her up with was iloverey. And every time she had to log in, she had to type "I love Rey." At least, it wasn't past 6 months before she learned how to change her password.

I am ticked off at the password requirements. Need to have at least one Capitalized letter, one number, one special symbol, another place doesn't allow special symbols, etc. Another place won't accept a previous password.

I've got my own workable password system but I still have to keep tabs on my passwords for the different places I use them.

A good password vault is my solution. It generates long, strong, passwords. I can select the character set and length. My password vault choice is mSecure. The account URL is stored too. When I click the URL, the PW for that account is copied to my paste buffer, and my browser is launched. I have mSecure for both my iPhone and MacBook, and they can be synchronized.

A different PW for every account, and I seldom change PWs.

Are we talking file encryption or system PWs. For any system PW, the system should prevent brute force attacks by limiting the number of password attempts. In that case, some other method would be necessary.

My take on a lot of hacks is that they were allowed by laziness/sloppiness with common passwords.

quote:

Originally posted by 46and2:

quote:

Originally posted by 220-9er:
I would bet that very few passwords are cracked. Most are stolen with key loggers, phishing schemes and other means.
Unless you use something really simple, like your name, address, birthday etc. it would take way too much time to bother.

You would llikely lose that bet.

A dictionary attack, especially one that includes all normal substitutions (0 for O, $ for S, and oodles of others that are extremely well known) is very fast, and if the system doesn't lock you out quickly enough it can run through a gazillion tries in no time.

Although, social engineering and basic research uncovers most, I'd bet, and - once they're in your primary email account they likely have access to many other things and tidbits.

Many are lazy and uncreative, too. If your dog's name is Freddie and you talk about him all over Facebook or forums like this and you think MyD0gFr3dd!3 is good enough - it isn't.

Still, the rules have long been overdone and for the wrong reasons.