David Baxter PhD
Late Founder
Widely Adopted 'Password Rules' May Actually Backfire
By John Lister, infopackets.com
August 9, 2017
It turns out the key is longer passwords, not necessarily random characters.
The man behind some of the most commonly held advice on creating passwords says he was wrong on several points. Bill Burr says the real problem with his tips were that they led to predictable behavior.
Burr's advice came in a short 2003 document produced by the National Institute of Standards and Technology. Because of the institute's prestige, the advice was widely adopted and cited, with both employers and sites often insisting that passwords meet the guidelines. (Source: wsj.com)
Mix of Characters Hard to Remember
One part of the advice was to use a mix of capital letters, lower case letters, numbers and symbols rather than just ordinary letters. The logic behind that was that this would mean more possible passwords, making them harder to guess.
To some extent this was correct: the advice meant people didn't just use single words that allowed a relatively quick automated attack that simply tried every word in the dictionary. Instead such 'brute force' attacks meant trying every possible combination of characters, a longer process.
The problem with that advice is that such passwords are harder to remember, meaning people prefer shorter passwords. However, password length arguably has more of an effect than adding in symbols and numbers. That's because even if you simply make a password one letter longer, it makes the number of possible combinations - and in turn the time to crack it - 26 times bigger. (Source: gizmodo.com)
Regular Changes a Mixed Blessing
Burr's other point of regret is that he advised users to change their passwords every 90 days. That certainly had some merit as it reduced the risk that a stolen or leaked password would still be valid when a hacker came to use it.
The problem is that regularly changes made it even harder for people to remember passwords, pushing them to fall back on predictable phrases or making only minor changes to their password to satisfy the requirements of their employer's system.
To be fair, one of the reasons his advice has dated is that people today have many more passwords to remember than was the case 14 years ago. That makes it virtually impossible to remember passwords for every site while still following the guidelines about using numbers and symbols, let along changing them regularly.
That's why many people today use password vaults which generate long and unpredictable passwords that the user doesn't need to remember. Many users also take a hybrid approach, using lengthy but memorable passwords for their most important and sensitive accounts and then using generated passwords or variations on a common phrase for other sites.
By John Lister, infopackets.com
August 9, 2017
It turns out the key is longer passwords, not necessarily random characters.
The man behind some of the most commonly held advice on creating passwords says he was wrong on several points. Bill Burr says the real problem with his tips were that they led to predictable behavior.
Burr's advice came in a short 2003 document produced by the National Institute of Standards and Technology. Because of the institute's prestige, the advice was widely adopted and cited, with both employers and sites often insisting that passwords meet the guidelines. (Source: wsj.com)
Mix of Characters Hard to Remember
One part of the advice was to use a mix of capital letters, lower case letters, numbers and symbols rather than just ordinary letters. The logic behind that was that this would mean more possible passwords, making them harder to guess.
To some extent this was correct: the advice meant people didn't just use single words that allowed a relatively quick automated attack that simply tried every word in the dictionary. Instead such 'brute force' attacks meant trying every possible combination of characters, a longer process.
The problem with that advice is that such passwords are harder to remember, meaning people prefer shorter passwords. However, password length arguably has more of an effect than adding in symbols and numbers. That's because even if you simply make a password one letter longer, it makes the number of possible combinations - and in turn the time to crack it - 26 times bigger. (Source: gizmodo.com)
Regular Changes a Mixed Blessing
Burr's other point of regret is that he advised users to change their passwords every 90 days. That certainly had some merit as it reduced the risk that a stolen or leaked password would still be valid when a hacker came to use it.
The problem is that regularly changes made it even harder for people to remember passwords, pushing them to fall back on predictable phrases or making only minor changes to their password to satisfy the requirements of their employer's system.
To be fair, one of the reasons his advice has dated is that people today have many more passwords to remember than was the case 14 years ago. That makes it virtually impossible to remember passwords for every site while still following the guidelines about using numbers and symbols, let along changing them regularly.
That's why many people today use password vaults which generate long and unpredictable passwords that the user doesn't need to remember. Many users also take a hybrid approach, using lengthy but memorable passwords for their most important and sensitive accounts and then using generated passwords or variations on a common phrase for other sites.
