The man who quite literally wrote the book on password security has admitted he may have been “barking up the wrong tree” with his previous advice.
Bill Burr published an influential guide on password protection back in 2003, and his advice was quickly established as the gold standard. However, with hindsight (aided by technological advances), the author has now admitted that everything he previously espoused could well be wrong..
Cracking the code
Burr’s not-so-snappily-titled handbook, ‘NIST Special Publication 800-63. Appendix A’ advised web users to substitute letters with numbers and special characters, to end up with something less like ‘password’ and more like ‘p@$$w0rd’.
However, it’s since been proven that hacking software would find it much easier to crack this code than a simple, random mix of words, without the trickery (such as ‘finger rumple blank horn’).
Burr also called for passwords to be changed frequently – every 90 days. In practice, though, this doesn’t have quite the same impact as first hoped. After all, users approach these changes in a more evolutionary than revolutionary manner, by most often adding numbers to the ends of their existing passwords. Rather unsurprisingly, this system was also found to be easy to crack.
Professor Alan Woodward from the University of Surrey told the BBC that Burr’s advice was so esteemed because it was published under the NIST banner. These publications are influential, he added, so tend to have a “long-lasting impact”. In this case, experts have long disputed Burr’s advice, but the NIST credibility carried it through.
Best practice: secure storage of unique, complex passwords
Woodward went on to explain another unfortunate result of Burr’s system – generally weaker passwords. The more a user is forced to change their login details, the weaker they tend to become. Sticking with one, strong initial password, on the other hand, circumvents this issue and prevents passwords from shrinking in length (and therefore becoming less secure).
Today, businesses looking to keep up with best practice are advised to ditch regular password changes and instead put in place a system where users can store their login details safely and securely. This method also allows users to have many different logins, so that if one were to be hacked, it doesn’t then throw up a master key to all their other accounts.
Further articles from our Autumn 2017 E-zine include: