I was interviewed by the News at One on RTE Radio to comment on the man who has disowned his advice about making passwords safer. Now retired, Bill Burr admitted his proposals have been a waste of time. “Much of what I did I now regret,” he told the Wall Street Journal.
Back in 2003, Burr wrote an eight-page document for the National Institute of Standards and Technology. His advice was to use a minimum of seven characters, and to include numbers, capital letters or special characters. A password like ‘Password1’ would fit those criteria and would end up being deemed to be secure, but we now know it isn’t. Burr also recommended that people should change their passwords every 90 days.
In hindsight, Burr believes his advice was misguided. It foundered on a very human tendency towards laziness. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” he said.
Many of the tips Burr shared in 2003 ended up making us less secure because many people fell into using combinations of numbers and words that attackers and their algorithms found easy to guess. When prompted to add a special character to a password, many people simply add an exclamation mark or @ symbol. Being forced to change passwords regularly just enforced bad habits, such as simply adding a number or character to an existing password.
This excellent cartoon from XKCD emphasises the point brilliantly
Another staple of Burr’s original advice is that passwords should be easy to remember and hard to guess. If you think about that for a moment, it’s actually self contradictory. By definition, something that’s easy to remember is probably also easy for an attacker to predict.
The need to protect our personal information is stronger than ever, so what’s the alternative? In the radio interview, I explained how I advise people to use a passphrase instead of a password. On air, I gave the example “I always listen to RTE news at one,” as a sequence of words that’s easy to remember. Lines from a favourite song or play would also work. Phrases like these are very hard for an attacker to guess for two reasons. They are sufficiently personal to us, and they are very long.
Some of the standard security advice is still valid: I recommend using different passphrases across multiple websites or online services. Using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. They could then use those same credentials to access other services.
If concocting new and unique passphrases sounds like too much hard work, then investing in a good password manager will take care of the heavy lifting. Just take the time to come up with a sufficiently secure master password to protect all of those other credentials.
PS NIST published updated standards in June which removed much of Burr’s original advice. If you are curious to read more about the latest thinking in passwords and digital authentication, you can find the document here.