The man behind those annoying password rules now says he was wrong

Share

According to the man who pioneered modern password management, probably not.

While working for the National Institute of Standards and Technology in 2003, Bill Burr wrote "NIST Special Publication 800-63".

Here's hoping websites catch on fast.

If your literary tastes are a bit more lowbrow, you might use the opening lyrics to your favourite song.

The full list can be read in a 5.3GB download - or users can test our their passwords on this link. An O becomes a zero, a 1 becomes an exclamation point, and now you have what looks like an impossible-to-crack password.

The problem is the advice ended up largely incorrect, Mr. Burr says.

Additionally, it is also now recommended that users only be required to change their password if a breach has been suspected or confirmed.

For example, something like "Pa55word!" follows Burr's guidelines but isn't very secure and is very easy to guess.

Moreover, it has been noted that these eight-word passwords, even with all the twists and turns that are supposed to keep hackers at bay, are actually quite easy to crack.

The better solution could be to simply use a password with four random words, because the number of letters can be more hard to hack than a small combination of letters and special characters, the Journal reports.

"The effect of the advice that I gave on passwords.it wasn't what I had intended, and it tends to drive people insane", Burr, 72, told As It Happens guest host Rosemary Barton.

Now, thanks to a report in the Wall Street Journal, we know who's responsible for our password frustrations. The most user-friendly updates nix the requirement for special characters or password expiration (unless there are signs your account has been compromised).

Cybersecurity experts say certain password rules are ineffective. And then they eventually find something and then they just write it down. "It just doesn't make sense". These are seen as more secure methods.

Academics who have studied passwords for a long time claim that often using a series of four words can make the job easier rather than using a mash-up of characters from all ends of the spectrum.

To illustrate this concept, cartoonist Randall Munroe said it would take only three days to figure out the password "Tr0ub4dor&3", but 550 years to crack "correcthorsebatterystaple". Of course, following the AARP's advice might also lead to people getting locked out of accounts after failed password attempts during which they enter old passwords - the frustration of which may also ultimately cause them to undermine security with weaker, reused passwords.

Share