The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time

[Wingnut]

Hang Him.  He must pay.


We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry.

The man in question is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.

The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.

“Much of what I did I now regret,” Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

Bill is not wrong. Simple math shows that a shorter password with wacky characters is much easier to crack than a long string of easy-to-remember words. This classic XKCD comic shows how four simple words create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days:

http://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987

[dfwgator]

[Wingnut]

[240B]

I have been yelling about this for years. If you go to a website and they tell you outright that your password must be 12 characters, it must have two capital letters, it must have two numbers, and it must have a special character, and then they show you a list of special characters to use, are they insane?

Do they think that hackers would not read their guidelines?

Ok, says the hacker, I need 12 characters, two capital, two numbers, and one of these other characters. Ok, got it. Thanks Mr. web admin for telling me what I need to do so I don't have to waste my time on passwords that will never work.

On the other hand, if your password was 'Aaa', no one would ever guess that.

Any website that gives the hackers a tutorial on what the outline of their passwords looks like is just asking for trouble. Not only is it annoying as hell, it is the opposite of making passwords more secure.

[roamer_1]

I like 'qwerty'.
or 'password001' -You put the 001 on the end and no one will ever get it.

[Free Vulcan]

Good passwords that can be remembered are easy. A fictional character, preferrably obscure, caps some symmetrically placed special characters, and a 4 digit numbers split on both ends, such as a year.

'20^^WilmA!!DeerinG^^17'

[Frank Cannon]

The National Institute of Standards and Technology is a rogue agency that should be gotten rid of. They are the folks that worked with the NSA to give a backdoor to encrypted shit to they could snoop on whatever they wanted. Eff all of these pieces of of rotting vomit like Bill Burr. Hope he has a massive heart attack that blow his eyeballs out of his vapid and worthless head.