Wednesday, August 9, 2017

"Best practices for passwords updated after original author regrets his advice"

Via InstapunditA vast majority of the trusted tips and tricks we employ when crafting a custom password actually make us more vulnerable to hackers, according to the expert who popularized the tips back in 2003. In an interview with The Wall Street Journal, former National Institute of Standards and Technology manager Bill Burr admitted that a document he authored on crafting strong passwords was misguided. “Much of what I did I now regret,” says Burr, who is 72 years old and now retired.

The problem wasn’t that Burr was advising people to make passwords that are inherently easy to crack, but that his advice steered everyday computer users toward lazy mistakes and easy-to-predict practices. Burr’s eight-page password document, titled “NIST Special Publication 800-63. Appendix A,” advised people to use irregular capitalization, special characters, and at least one numeral. That might result in a password like “P@ssW0rd123!” While that may make it seem secure on the surface (neglecting, of course, that “password” is a bad password), the issue is that most people tend to use the same exact techniques when crafting these digital combo locks. That results in strings of characters and numbers that hackers could easily predict and algorithms that specifically target those weaknesses.

Even worse, Burr suggested people should change passwords regularly, at least every 90 days. This advice, which was then adopted by academic institutions, government bodies, and large corporations, pushed users to make easy-to-crack passwords. Most people can probably point to a password they’ve created that was deemed strong simply because it had a special character like the “!” or “?” symbol and a numeric string like “123.” And when prompted to change a password, who hasn’t altered it only slightly to avoid the hassle of coming up with an all-new code?

(Link to the rest of the article)


edutcher said...

Changing passwords like that would be a perpetual thing.

I do try to use something different, but how random can you make it?

Guildofcannonballs said...





Is this thing on?

Anyway, Fox31 just had a special about the poetry slam in Denver, and the ASL group there doing their own poetry slam. It's a moving segment...

ndspinelli said...

The govt. gets hacked by Chinamen and now they have all these fucking hoops for citizens regarding our passwords. My SS account is much harder to access than is warranted. We jump through the hoops changing passwords and they'll get hacked again. The govt. is a shithole.

chickelit said...

I do try to use something different, but how random can you make it?

Use your background and training. I like to use chemical formulae as passwords.

Leland said...

Before the 90 day rule, I had a password I used for over a decade. I worked at a government facility that the NSA intentionally tried to hack to test both their hackers and our security, and we would get letters if our personal computer was successfully penetrated. I never got a letter.

Then Bush created Homeland Security. The bureaucracy read this F'tards publication and created Homeland Security Policy Directive 12 that codified this nitwits advice into a requirement for all government computer users. My long term password didn't meet the new directive, so I had to come up with another one, and a routine every 90 days. The first time NSA tested us after HSPD-12, my system and most everyone else's was penetrated. That should have been the wake up call. Instead, now my SF-85 form is available to whomever in China, and I was given a year of free credit monitoring from that jackhat Obama.