The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry.
The man in question is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.
Simple math shows that a shorter password with wacky characters is much easier to crack than a long string of easy-to-remember words. This classic XKCD comic shows how four simple words create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days.
It's about the length and not the type of characters per se (yes a bigger source of characters is a bit more difficult, but the clincher is actually the length). Something not mentioned is this "need" to change a password every 30 days. Why would you do that if you could rather choose one good long password. The downside of the 30 day rule is users either then write the password down or they choose to just change one character....
See http://ift.tt/2uDE3u9
from Danie van der Merwe - Google+ Posts http://ift.tt/2vNyTQb
via IFTTT
We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry.
The man in question is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.
Simple math shows that a shorter password with wacky characters is much easier to crack than a long string of easy-to-remember words. This classic XKCD comic shows how four simple words create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days.
It's about the length and not the type of characters per se (yes a bigger source of characters is a bit more difficult, but the clincher is actually the length). Something not mentioned is this "need" to change a password every 30 days. Why would you do that if you could rather choose one good long password. The downside of the 30 day rule is users either then write the password down or they choose to just change one character....
See http://ift.tt/2uDE3u9
The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry. |
from Danie van der Merwe - Google+ Posts http://ift.tt/2vNyTQb
via IFTTT
Comments