In 2003, Bill Burr—then a mid-level manager at the National Institute of Standards and Technology (NIST)—wrote a primer that became the go-to reference guide for setting secure passwords. Now, Burr and NIST are revising their recommendations, saying the original guidance was inaccurate and ineffective, Robert McMillan writes for the Wall Street Journal.
How it all started
Burr in 2003 wrote an eight-page primer, titled "NIST Special Publication 800-63. Appendix A," recommending that people use special characters, capital letters, and numbers in their passwords. The document also advised people to change their passwords every 90 days. The guidance was supposed to help people strengthen their passwords by inserting randomness into the process.
According to McMillan, "The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities, and large companies looking for a set of password-setting rules to follow."
Now, however, Burr and NIST are revising their recommendations for secure passwords, saying the original advice was largely ineffective and incorrect. "Much of what I did I now regret," Burr said.
How it went wrong
Burr—who's now retired—explained that when he compiled the original document, there wasn't much real-world password data. Further, when he asked NIST administrators if he could review the passwords they used in their network, they refused based on privacy concerns. Lacking any empirical data, Burr primarily relied on a white paper written in the mid-1980s to compose the guidance.
According to Burr, the resulting guidance "was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree." He added, "It just drives people bananas and they don't pick good passwords no matter what you do."
Step by step: How colleges have implemented multi-factor authentication
In one well-known example, the cartoonist Randell Munroe demonstrated that it would take about 550 years to crack the password "correcthorsebatterystaple." In contrast, it would take just three days to crack Tr0ub4dor&3, a password written in line with Burr's original recommendations. According to McMillian, Munroe's calculations were verified by computer-security specialists.
Recent research suggests that, while people tend to think their passwords are unique, we generally gravitate toward variations of the same password combination, such "iloveyou," "princess," and "monkey," McMillian writes. Cormac Herley, a principal researcher at Microsoft, said, "It's not really random if you and 10,000 other people are doing it."
In June, Paul Grassi, an NIST standards-and-technology adviser, led the rewrite of Special Publication 800-63.
The new guidelines recommend people select long, easily remembered phrases (as passwords that don't necessarily need to contain special characters) and update the passwords only when there's an indication of a security breach. According to Grassi, the original guidance recommending a password change every 90 days and urging people to use special characters did little for security and "actually had a negative impact on usability."
4 tools to help you prepare for a security breach
That said, Grassi said Burr is likely being overly critical in his critique of the original document "[Burr] wrote a security document that held up for 10 to 15 years," Grassi said. "I only hope to be able to have a document hold up that long" (McMillan, Wall Street Journal, 8/7).
4 steps to secure passwords
Phil Beyer, senior director of information security at EAB, adds these four recommendations for choosing secure passwords:
1: Compliance is still crucial. For better or worse, current audit requirements often include minimum standards for password length, complexity, and rotation, and auditors will continue to ensure such policies are in place. Even if one of the original authors of password policy currently disagrees with his own recommendations, your organization's compliance with its own password policy and auditors' standards can still be subject to review during an audit.
Related: How to deal with ransomware attacks—before and after clicking
2: Make your passwords long. All of the data and research available shows that the best password is a long one—more than 20 characters—that is easy for you to remember and hard for a computer to guess.
3: Rotate passwords, and use unique ones for different services. Rotating passwords reduces your susceptibility to an automated attack by an unskilled adversary who purchased your company's username and password database on the black market. In addition, using a unique password for every online service you use—and storing them all in a password vault (such as LastPass, KeePass, or 1Password) —is a strong practice that is vulnerable only to a targeted attack against yourself.
4: Using passwords without complementary security controls is asking for trouble. Passwords have never been and will never be effective as the sole method of authenticating an individual. They are easily compromised by unskilled and advanced attackers alike. As such, organizations should use passwords as one of a series of complementary security controls.
Also see: The top 10 security issues on the rise
Next in Today's Briefing
Initiative hopes to make freshman year free for everyone