In June, the National Institute of Standards and Technology (NIST) issued an updated version of its Digital Identity Guidelines, which include current password practices used industry wide. On Tuesday, its original creator, Bill Burr, confessed he regretted much of what he had done.
Paul Grassi, the proponent of the new guidance that suggests using passphrases instead of passwords might be safer, agrees to an extent that Mr. Burr’s initial standards made an impact in the industry and only expects that his proposal can have a legacy just as long-lasting.
Password decryption easiness is a significant factor in cyber security schemes nowadays, many of which don’t even have to resort to software to make the right guesses. The way in which they are configured, sometimes, makes them simple to crack with a little wit.
— Wall Street Journal (@WSJ) August 7, 2017
Bill Burr says he’s sorry he put you through password hell
In an interview with The Wall Street Journal, Bill Burr, now aged 72 and retired from the U.S. Department of Commerce arm, expressed his regret for having instilled the framework that became the norm at many companies, platforms, and even public services worldwide for a decade and a half.
Mr. Burr recalled how his guidelines for digital security came not from experience, but from heavy research on the limited material that was available at the time. It was the dawn of the true digital era, and we didn’t know at the time the dangers we would face online in the coming years.
Recommendations like having your password be no shorter than eight characters long, use capital letters, numbers, and special characters somewhere in between all came from Bill Burr. Oh, and changing it every couple of months was also his idea, so you can thank him for that too.
Grassi and others had to write new password guidelines from scratch
Of course, like many experts and even Mr. Burr himself acknowledge, these security measures did not turn out as safe as expected. People often change just one character of their password if the platform allows it, completely defeating the purpose of the requirement in the first place.
Moreover, it has been noted that these eight-word passwords, even with all the twists and turns that are supposed to keep hackers at bay, are actually quite easy to crack. It would take three days in average to decode one of those, whereas another with 20 characters or so would take more than 500 years at the same rate.
These calculations were made not by a scientist but by Randall Monroe, the creator of the xkcd comic. He claims we have managed to create passwords that are hard to remember for humans but easy for computers to figure out. Bill Burr admits as much.
Luckily, Mr. Grassi and other’s rewrite took a hard look at the guidelines and started from scratch. The NIST now favors long passwords made up of phrases that are easy to remember and advises that users should only change their password in the scenario of a security breach.
Source: The Wall Street Journal