Video: Why you need a password manager
The man who drew up widely-used password rules that are now regarded as wrong regrets ever having created them.
If you’ve ever wondered why you’re forced to pick hard-to-remember passwords with a mix of uppercase, lowercase, numbers, and a symbol — and then asked to change them every month — it’s probably because a developer somewhere followed guidance from a 2003 document by the US National Institute of Standards Technology (NIST).
That eight-page document ‘NIST Special Publication 800-63. Appendix A’ was written by Bill Burr, now a retired 72-year-old former manager at the institute.
“Much of what I did I now regret,” Burr told The Wall Street Journal.
NIST finalized a rewrite of the password management guidelines in June, reversing many of the recommendations contained in the document he wrote.
It did away with recommending periodic password changes and password complexity requirements, while introducing a requirement to check that new passwords aren’t compromised or commonly used, like ‘1234567’ or ‘password’, which always turn up in breaches as the most common secrets.
As the revised document notes, analyses of exposed passwords, which now number several hundred million in the haveibeenpwned database, show rules around complexity and changing passwords don’t produce the benefits they were thought to, yet make using systems terrible.
For example, a user inclined to choose ‘password’ might well choose ‘Password1’ if required to include a number and uppercase letter. Meanwhile, periodic password changes can make them difficult to remember for those needing access to dozens of systems, who might then waste time requesting a password reset whenever they’ve forgotten them.
Burr, a former mainframe programmer for the Army, told the paper he did actually want to create password guidance based on real-world passwords, but there wasn’t much available in 2003. He even asked NIST computer admins to look at real passwords on their network but was knocked back.
As a result, he leaned largely on empirical data in a computer password security whitepaper from the 1980s.
Under the new guidance, admins responsible for verifying newly created password are advised to check them against passwords exposed in previous breaches, dictionary words, receptive and sequential characters, and words containing the name of the user or service.
The only time that admins should force a change now is if there is evidence a password has been breached. And to support longer random passwords, it advises that admins should let users paste their password in, backing the use of password managers.
The guidance also addresses password length, suggesting users be required to pick one that is at least eight characters in length, while the system should support passwords at least 64 characters in length.