Later On

A blog written for those whose interests more or less match mine.

Best practices for passwords updated after original author regrets his advice

leave a comment »

The XKCD cartoon above is from Nick Statt’s article in Verge, which begins:

A vast majority of the trusted tips and tricks we employ when crafting a custom password actually make us more vulnerable to hackers, according to the expert who popularized the tips back in 2003. In an interview with The Wall Street Journal, former National Institute of Standards and Technology manager Bill Burr admitted that a document he authored on crafting strong passwords was misguided. “Much of what I did I now regret,” says Burr, who is 72 years old and now retired.

The problem wasn’t that Burr was advising people to make passwords that are inherently easy to crack, but that his advice steered everyday computer users toward lazy mistakes and easy-to-predict practices. Burr’s eight-page password document, titled “NIST Special Publication 800-63. Appendix A,” advised people to use irregular capitalization, special characters, and at least one numeral. That might result in a password like “P@ssW0rd123!” While that may make it seem secure on the surface (neglecting, of course, that “password” is a bad password), the issue is that most people tend to use the same exact techniques when crafting these digital combo locks. That results in strings of characters and numbers that hackers could easily predict and algorithms that specifically target those weaknesses.

Even worse, Burr suggested people should change passwords regularly, at least every 90 days. This advice, which was then adopted by academic institutions, government bodies, and large corporations, pushed users to make easy-to-crack passwords. Most people can probably point to a password they’ve created that was deemed strong simply because it had a special character like the “!” or “?” symbol and a numeric string like “123.” And when prompted to change a password, who hasn’t altered it only slightly to avoid the hassle of coming up with an all-new code? . . .

Continue reading.

Written by LeisureGuy

9 August 2017 at 10:51 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s