Man, Behind Password Requirements Admits He Was Wrong
Those annoying password requirements like ‘must have at least one special character?’ They do more harm than good.
BY AVERY THOMPSON
AUG 8, 2017
It is tough to create a good, secure password. It is tough to even agree on what makes a password strong in the first place, but most of the websites you will visit probably recommend numbers, capital, and lowercase letters, and probably a random symbol or two. This was the recommendation of Bill Burr, who created those password guidelines while working for the National Institute of Standards and Technology back in 2003.
Now, almost 15 years later, Burr finally admits he made a mistake. In an interview with the Wall Street Journal, Burr expressed his regrets for giving advice he now realizes was flawed.us Viday Next Video
rent Time 0:03
Remaining Time -1:31
The problem is not that passwords with random numbers and symbols in them are not secure. They can be, especially if a random password generator is used to create secure passwords. The problem is that humans suck at remembering passwords filled with random numbers and symbols, so they typically create simpler passwords that are easier to guess.
If you have ever had to come up with a “secure” password, you probably did the same thing as almost everyone else—pick the first word that comes to mind and substitute a few numbers and symbols for letters. An O becomes a zero, a 1 becomes an exclamation point, and now you have what looks like an impossible-to-crack password.
But you are not the only one doing this, which means that hackers routinely try to guess these common substitutions. These simple instructions double as a handy guide for attack by password crackers. Ironically, Burr’s password security guidance ended up making passwords less secure.
Burr’s admission comes at a time when “secure password advice” is becoming mostly irrelevant. There are several services like LastPass and OnePass that will generate secure passwords for you and remember them so you don’t have to. And hopefully in a few years we will have replaced passwords entirely with some other sort of tech all together.
Of course, all of this is pointless if you don’t care about having a strong password in the first place.
Source: Wall Street Journal via The Verge.
Solving the password problem article from popular mechanics