Bill Burr blew it, and he knows it. The man responsible for the global password strength guidelines, which posit that you should always use alphanumeric characters and alternate uppercase and lowercase letters, recognizes his error. According to Burr, these rules “drive people crazy,” and yet, even so, do not necessarily make for good passwords.
Fourteen years of bad passwords
In 2003, while Burr was working at the National Institute of Standards and Technology, he published the report that would become the go-to reference for creating secure passwords, NIST Special Publication 800-63. Appendix A. The guide included two fundamental tips. The first is that passwords must have a combination of alphanumeric, uppercase and lowercase characters, and special characters. The second is that it should be changed every 90 days. Since its publication, the guide stipulated by Bill Burr became the foundation on which the creation of passwords is based. Numerous companies have made it an obligation and prohibit users from using passwords that do not meet these requirements. So what has changed? Why does Burr regret his role in establishing today’s password status quo?
The short answer: people are still using insecure passwords. In cases where a password is not required to comply with the recommendations of Burr and NIST, users often use easy-to-remember (and also hack) passwords such as “123456”, “111111” or “password”. But the problem goes beyond that. Even if you apply Burr and NIST logic and convert “password” to “P @ ssw0rd!”, It is still an easily hackable password. When many users use this password, it is a pattern that cybercriminals can use to access our account.
Burr isn’t the only one to have recognized that the method he invented has become obsolete and, in some cases, even insecure. NIST itself has updated its Digital Identity Guidelines to reflect the new changes. According to this agency, the key to a secure password is the use of compound phrases with words that we can easily remember, a principle that is on display in the comic below from the popular xkcd.
The upper row shows a password with alphanumeric characters, capital letters and special characters (i.e., the “perfect password” according to the old thinking), which could be guessed in three days by brute force. The bottom row shows how a phrase combining four words increases the time it would take to guess the password to 550 years. For years we have resorted to passwords that are hard to remember for us but easy to guess for machines.
Time for a change
If you have not already, it’s time to review your company’s password policy. One of the reasons why many employees jeopardize the security of the company is by choosing passwords that are easy to remember, but also easy to crack. And sometimes, it turns out that some passwords that are difficult to remember are also quite vulnerable. It is important, therefore, to emphasize that this new method combines simplicity and security.
The new NIST guidelines do not recommend changing passwords regularly, but rather when it becomes necessary (after a security incident, for example). The reason is that users turn to the easiest option and make minor changes, minimizing the benefit of changing passwords. What’s more, having to insist and even require a change of password regularly could contribute to “security fatigue” among employees, an increasingly widespread problem among all types of companies.
Bill Burr and NIST have acknowledged that their method is ineffective. Now the responsibility is on us. Implementing the new guidelines will help create safer passwords and protect our business from cybercrime.