National Institute of Standards and Technology (NIST) manager Bill Burr is rarely remembered as the man who once came up with our strong password standards. Despite this, he has said in an interview that he regrets the advice that is still being used by corporations and governments to secure their systems.
Burr’s advice is not technically wrong. After all, a combination of random capitalisation, special characters, and at least one numeral has the potential for creating a strong password. However, people are not actually capable of true randomness; which leads to patterns in how people create passwords. It’s how most “strong” passwords are now generally variations on leet speak.
Compounding this problem is the advice to change passwords every 90 days. Anyone who has ever been in this situation knows that the new passwords will eventually fall into a pattern of changing a single number every 90 days. Humans just cannot cope with remembering a new random password every three months.
New NIST standards were introduced this year, discarding most of Burr’s advice. However, technical advisor Paul Grassi, who authored the new standards, says that Burr exaggerates the damage caused by his advice. Claiming that companies managed to survive 15 years on the old document.
Knowledgeable web users these days prefer to use a password method invented by webcomic XKCD. It’s a more elegant system of simply combining four random words; creating a mental image helps remember those four words. In the comic’s case, it happened to be “correct horse battery staple”. According to math verified by the WSJ, this password would take brute force decryption 550 years to guess. Burr’s password would last three days against a brute force attack.
[Source: Wall Street Journal]