Man who wrote those password rules says he blew it
PUBLISHED ONAugust 10, 2017 6:16 AMByRobert McMillan
The man who wrote the book on password management has a confession to make: He blew it.
Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of "NIST Special Publication 800-63. Appendix A." The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers-and to change them regularly.
The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.
The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay.
Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark-a finger-twisting requirement.
"Much of what I did I now regret," said Mr. Burr, 72 years old, who is now retired.
In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments. Paul Grassi, an NIST standards-and-technology adviser who led the two-year-long do-over, said the group thought at the outset the document would require only a light edit.
"We ended up starting from scratch," Mr. Grassi said.
The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Mr. Grassi said. Those rules did little for security-they "actually had a negative impact on usability," he said.
Read the full article here.
OTHER WSJ.COM STORIES:
- Want to Get Tech Savvy? Don’t Ask Your Children