The man who came up with those password rules we all hate admits he was wrong

[Cal Jeffrey]

We have all seen the message. You know, the one that says, “Your password is about to expire. Please create a new password.”

Then there are the subsequent messages that follow after we inevitably make an entry that the checker does not like: “Your password must be at least eight characters in length and contain at least one of each of the following: capital letter, lower case letter, number, and special character.” For me, it happens every three months on my office computer.

It’s annoying, but as an IT professional I have always accepted it as part and parcel of computer security. After all, the rules were published by the National Institute of Standards and Technology (NIST). Surely they knew what was best when creating strong and secure passwords, right?

As it turns out, they apparently didn’t know much more than the rest of us when the rules were written in 2003. The guidelines were published in a NIST document titled, “Special Publication 800-63. Appendix A.” Now the man who wrote them says he was mostly wrong.

Bill Burr, who worked as a midlevel manager at the NIST, authored the rules and recently told the Wall Street Journal, “Much of what I did I now regret.”

He had wanted to base his guidelines on real world data, but there just wasn't much available at the time. He even tried to get IT administrators at NIST to allow him to look at the passwords on the network, but they scoffed at him citing security concerns.

With nowhere else to turn Burr ended up relying heavily on a white paper written in the 1980s. The document was written well before the public had access to the internet. It was a time when cybercrime barely even existed, at least not as we know it today. Despite most of the advice in Special Publication 800-63 being off-base or outright wrong, the password rules within its pages became IT canon and remained so for almost 15 years.

A widely shared comic strip (above) by Randall Munroe demonstrates the fallacy of Burr’s guidelines. It shows that a password using NIST’s rules can be cracked by a computer in 3 days, and is hard for us to remember. On the contrary, a simple passphrase of only four easy to remember words like "correct horse battery staple," would take 550 years to crack using the same brute force method.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said the now retired 72-years-old Burr.

To that, the NIST has responded by rewriting the rules with today’s usage and users in mind. Paul Grassi headed up the re-write last June and said that many of the worst password commandments were eliminated. They initially thought it would be a quick edit, but they ended up starting over from scratch.

The new guidelines are only just beginning to trickle into the IT world, but some of the changes will have users and admins rejoicing.

“Drop the password-expiration advice and the requirement for special characters,” Grassi said. They did little for security and “actually had a negative impact on usability.”

Instead of a string of eight to 16 random characters, which never end up being random, we are told to use long, easy-to-remember phrases with the spaces removed (correcthorsebatterystaple). Grassi also says, “Users should be forced to change passwords only if there is a sign they may have been stolen.”

Sure, there are those that are going to hold on to the old guidelines because they hate change. Or those that like their password because they think "!'m@H4X0R" is cool. Or those that just don't care because they have a password manager that logs them in anyway. I'm just thankful that I can look forward to not having to get nagged to change my password every 90 days.

Permalink to story.

https://www.techspot.com/news/70492-man-who-came-up-password-rules-all-hate.html

 

[Cycloid Torus]

Glad he finally admitted it.

 

[m4a4]

Good. These stupid password rules on top of length have been pissing me off for quite some time (especially since I understand the point made by the comic).
Every year I see worse and worse rules implemented, and hopefully this is a start to remedy that.

 

[Cal Jeffrey]

Good. These stupid password rules on top of length have been pissing me off for quite some time (especially since I understand the point made by the comic).
Every year I see worse and worse rules implemented, and hopefully this is a start to remedy that.

I'm just afraid that companies and websites will not start implementing the changes for another 15 years.

 

[Kotters]

That XKCD comic is always posted. It creates passwords that are great against brute force, but is much more vulnerable to a dictionary attack.

 

[Evernessince]

The use of common words in a password is equally as dumb. Notice in the comparison above how they state that using more characters and common words as more effective when against a brute force attack. The Huge drawback is that if they try a dictionary attack, it will take much less time.

A brute force attack works by checking every possible combination down to the character while a dictionary attack only uses words, phrases, ect.

From wiki on Brute Force

"When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones."

https://en.wikipedia.org/wiki/Brute-force_attack

In other words, making your passwords short with jumbled characters or long but with easy to remember words are both poor methods to make passwords. Each has had a decoding method in place for a long time now that works specifically well on them. Your best bet is to either combine both jumbled and long or implement a simple shift cipher, preferably an extended shift cipher. Shift Ciphers are one of the most simple Ciphers out there and are easy to implement and remember.

 

[VitalyT]

For some reasons, the first time I read

midlevel manager at the NIST

as medieval. But after re-reading it, I think I wasn't far from the truth.

 

[cuerdc]

Yeah I hope my work place rids of this nonsense lost track of how many times been locked out.

 

[Mr Neutron]

Good. These stupid password rules on top of length have been pissing me off for quite some time (especially since I understand the point made by the comic).
Every year I see worse and worse rules implemented, and hopefully this is a start to remedy that.

I'm just afraid that companies and websites will not start implementing the changes for another 15 years.

Yes, the big hitters on the internet are STILL abiding by the stupid rules of including numbers and other symbols to be 'more secure' or we don't sign you up!

They've not caught on that having to move to another keyboard several times when entering a password on a touch screen mobile device is a real chore. And people just vote with their feet and use a more friendly service instead of theirs.

 

[J spot]

The use of common words in a password is equally as dumb. Notice in the comparison above how they state that using more characters and common words as more effective when against a brute force attack. The Huge drawback is that if they try a dictionary attack, it will take much less time.

A brute force attack works by checking every possible combination down to the character while a dictionary attack only uses words, phrases, ect.

From wiki on Brute Force

"When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones."

https://en.wikipedia.org/wiki/Brute-force_attack

In other words, making your passwords short with jumbled characters or long but with easy to remember words are both poor methods to make passwords. Each has had a decoding method in place for a long time now that works specifically well on them. Your best bet is to either combine both jumbled and long or implement a simple shift cipher, preferably an extended shift cipher. Shift Ciphers are one of the most simple Ciphers out there and are easy to implement and remember.

I agreed with you that it didn't seem secure, but then thought better of it.

Though four words seems short it would probably take many times longer than the age of the universe using a dictionary attack to crack it. It would actually be a brute force/dictionary attack, because it will have to use all possible combinations of all the words in the English language.

So instead of the computer having to brute force 95^4 (keyboard), it would have to brute force 171,476^4

Per my password calculator, at a million passwords per second it would take to go through all combinations:

95^4 = 1:36 minutes:seconds
1000^4 = 11.57 days
2000^4 = 185.19 days
3000^4 = 2.57 years
Now imagine 171,476^4

From Googling https://www.economist.com/blogs/johnson/2013/05/vocabulary-size

Most adults know 20,000 to 35,000 words.

20,000^4 = 5,073.57 years
35,000^4 = 47,584.51 years

171,476^4 = 27,416,169.09 years. So not quite many times longer than the age of the universe

But throw in one completely made up word, and that dictionary attack won't crack it.

Edit: Also, I did not take into account the use of capital letters. Where if they just use a capital letter on one or more words then it would take 70,000^4 = 761,352 years.

 

[BSim500]

That XKCD comic is always posted. It creates passwords that are great against brute force, but is much more vulnerable to a dictionary attack.

The Huge drawback is that if they try a dictionary attack, it will take much less time.

There are common sense ways to thwart pure letter dictionary attacks:-

1. Include a word you can easily remember but isn't a normal word included in a typical password cracking "Word List". Maybe the name of a memorable website, movie, an unusual song / artist, or the name of a brand. Eg, "Idiocracy", "Techspot" or "The Bonzo Dog Doo-Dah Band" are highly unlikely to be found inside most Word List dictionaries.

2. Obfuscated words. Words that sound the same but are spelt differently. Eg, unless specifically included, "Def Leppard" would not be cracked with a dictionary with normal words "deaf" and "leopard" in it. The less common the pop-cult reference, the better.

3. Instead of all lower / upper case, you just write in normal "sentence case". ie, capitalize the first letter of the first word plus the names of any people / titles (instantly forcing a 52-letter alphabet instead of a 26-letter). Although it won't drive up complexity exponentially like a brute-force attack, the need to test multiple capitalized variants (lowercase / uppercase / title case, etc) of multiple word combinations still makes it +10x harder.

4. Keeping with "sentence case writing", add a . at the end of the last word as if it were the end of a sentence. Or use words with memorable but substituted punctuation (eg, "Cruisin'" or "Lovin'" instead of Cruising or Loving), rendering dictionary attacks that focus purely only on letters useless.

5. Merging natural word-pairs. "Driving" + "License" or "Sikorsky" + "helicopter" may both show up as individual words in a dictionary attack. But how about "DrivingLicense" or "SikorskyHelicopter"? Obscure enough that it simply isn't in any Word List by itself, whilst turning it into "I have a clean DrivingLicense." or "I've flown in a Sikorskyhelicopter." increases password length to 30-35 characters, making it exponentially difficult vs brute-attacks whilst simultaneously screwing up the "wordiness" of the individual words vs dictionary attacks.

So instead of "we love reading books", you put "We love reading Techspot.". The end period alone instantly causes problems for pure dictionary attacks using only letters, the use of 1 or 2 Capital letters in normal "sentence case" increases complexity, whilst the use of an unusual and unique brand-name (already formed by 2 different words "Technology + Spotlight") would thwart many dictionaries altogether if it weren't specifically included. The overall combination of this stuff still makes multi-word alphabetic pass-phrases far more secure than 1-word alphanumeric passwords, whilst keeping in with the spirit of remembering easy word phrases without forced numbers or out of place symbols.

 

[Ascaris]

"Instead of a string of eight to 16 random characters, which _never end up being random,_"

The link provided contains no evidence to this effect at all. The closest it comes is showing that two apparently random strings are in the "most used" list because bots are using them as constants (and thus not random).

I use a password generator for all of my passwords. Each site gets its own random string of sufficient length to make brute-forcing a multi-century affair with today's tech. Can I remember them all? Absolutely not-- I've never even typed any of them, nor even seen most of them as anything but a series of asterisks. The database of those passwords in my browser's password manager is encrypted, protected by a password that is itself very strong.

Now, you would be right in saying that the password generator isn't REALLY random, as computers can't do that, but it's pretty close for the purposes we're talking about here. If I ever think a password has been compromised, I can make a new one and switch it out long before anyone would be able to crack it with brute force, and dictionary attacks would be completely useless, even if they did know the particular random number generating algorithm used by my password generator.

 

[GreenNova343]

Dang it...@J spot & @BSim500 beat me to the long explanation why dictionary attacks won't help with passphrases.

But I will add this:

https://en.wikipedia.org/wiki/Dictionary_attack

It specifically mentions that a dictionary attack can be foiled by the use of a passphrase.

And thinking about it, it seems like the detractors are making a big assumption about the success of a dictionary attack: that the attacker knows exactly how many words are in the passphrase.

Sure, requiring at least 4 words in a passphrase makes it a lot harder to guess the words, plus makes for long characters. But what if you choose to use more?

Let's say, for example, that someone picked the phrase, "I really do not like eating cheese". Sure, all of the words are very common words, so individually would show up in a dictionary list. But the phrase is not 4 words, it's 7. Now, I would assume that for this dictionary attack to work, you'd have to first check just for each word individually, then check for multiple combinations. Let's say that, because these were simple words, the attacker can get by with using only a 5,000-word list:
-- 5,000 checks for a single-word passphrase
-- 5,000^2 = 25,000,000 checks (2.5 x 10^6) for a two-word passphrase
-- 5,000^3 = 125,000,000,000 checks (1.25 x 10^11) for a 3-word passphrase
-- 5,000^4 = 625,000,000,000,000 checks (6.25 x 10^14) for a 4-word passphrase
-- Total so far: 625,125,025,005,000 checks (6.25125025005 x 10^14)

Now, at 1 million checks per second, the attacker would need just over 7,235 days (173,645.8403 hours), or almost 20 years, to run through all of those checks...& at the end of it, it still hasn't guessed the passphrase, because the passphrase has 7 words in it. That adds another:
-- 5,000^5 = 3,125,000,000,000,000,000 checks (3.125 x 10^18) for a 5-word phrase
-- 5,000^6 = 15,625,000,000,000,000,000,000 checks (1.5625 x 10^22) for a 6-word phrase

That's a total of 15,628,125,625,125,025,005,000 checks (1.5628125625125025005 x 10^22), which at 1 million attempts per second will take over 495 million years (495,225,417 years, 64 days, 21 hours, 10 minutes, 25.005 seconds to be exact), just to eliminate all passphrases with 6 or fewer words...& it's only now going to be able to start working on the 7-word passphrases. Note, BTW, that checking those phrases will require almost 2.5 trillion years to check every combination.

Note as well, that this is still faster than a straightforward brute-force attack (34 characters in the passphrase means 95^34 = 1,748246 x 10^67 combinations, or 2.2373 x 10^41 times as many combinations as for the dictionary attack).

And I even calculated using a much smaller word list, since the passphrase used fairly common words. I could have been more obscure & used words like "gouda", "brie", or "feta" in place of "cheese". I could have even shortened it to 6 words, but punched up the complexity level by saying, "I literally cannot stand consuming cheese". If you shorten the phrase to 6 words, but increase the necessary word list to 20,000 words, then you have to go through all of the 1- to 5-word passphrases first (3.20016000800040002 x 10^21 checks)...which means waiting over 101 million years (101,406,951 years, 128 days, 17 hours, 40 minutes, 0.02 seconds) before starting in on the 6-word phrase checks (which can take up to 2.028 trillion years to run through). And you don't want to think about how long the brute-force character-by-character attack would take (41-character password, 95^41 = 1.220865 x 10^81 combinations...)

 

[Adhmuz]

Most adults know 20,000 to 35,000 words.

20,000^4 = 5,073.57 years
35,000^4 = 47,584.51 years

171,476^4 = 27,416,169.09 years. So not quite many times longer than the age of the universe

But throw in one completely made up word, and that dictionary attack won't crack it.

Edit: Also, I did not take into account the use of capital letters. Where if they just use a capital letter on one or more words then it would take 70,000^4 = 761,352 years.

I use a passphrase that has 13 words in it, 3 of which are capitalized, so your math would be 70,000^13 for that one? That puts it at 9.688901e+62 years to be cracked, holy crap I should use more passphrases like that.

 

[Uncle Al]

And they wonder why people simply use "password" or "123456789" as their password?

 

[ET3D]

I'm sure that a few years from now we'll think of passphrases the same as we think about random passwords. These certainly worked, when computing power was much lower.

All the tips here are rather silly. Capitalising words starts adds one bit, a full stop at the end another. All of these are less than adding one extra character to the password. Adding random capitals is equivalent to common substitutions, and subverts the idea of having something easy to remember. The number of words people commonly use would likely be quite small.

That's not to say that passphrases aren't currently better, but when starting to talk about a large number of words, capitalisation, punctuation, etc., it will end up not much easier to remember, especially if the passphrase isn't reused, and people will just end up using passwords managers. At that point, it won't matter much if we'd use a combinations of letters and symbols or a long phrase.

 

[JudasSheep]

People are still stupid enough to give out their password to social engineering. No amount of complexity is going to stop that. And I am sure we will always be able to find passwords taped to the bottom of keyboards or on sticky notes attached to their monitor.

 

[Capaill]

I would suggest not using spaces in your password. There is no guarantee that the programmer has thought to wrap the string in quotes.
I would imagine that the hacker has no idea of how long your password is? So they won't know how many words to try. Maybe use a line from a song/poem. I would also suggest mixing languages or even avoiding the English language if you can. But above all, make it as long as you can and easy to remember.
What annoys me is the rule that you shouldn't use the same password on multiple sites. I have dozens of passwords now and can't remember which I used on rarely-used sites. I need to start a new system.

 

[Cal Jeffrey]

"Instead of a string of eight to 16 random characters, which _never end up being random,_"
The link provided contains no evidence to this effect at all. The closest it comes is showing that two apparently random strings are in the "most used" list because bots are using them as constants (and thus not random).
I use a password generator for all of my passwords.

First of all, I'm sure the regular readers of TS all use strong secure passwords. I certainly do (as annoying as they may be in some instances) and I've never been hacked on any account. That statement was actually in reference to the general public.

Second, I'm not sure what you mean about the link not providing any evidence that the 8-16 character passwords seldom end up being random. The link points directly to Rob's article on the most commonly used passwords. The top ten most common passwords are anything but random characters, not to mention the fact that since they are common they by definition cannot be random. I'm not sure you read that sentence right, or is there a typo I can't see?

Lastly, password generators and managers are great, but there are many cases where they cannot be used – in my office at work for instance. I happen to love password managers. At home, I use my Mac's keychain extensively, but at work, I cannot use password managers as no external software is allowed. I still have a strong password, but having to change it every 3 months is a pain in the ***.

Thanks for reading and thanks for the comment.

 

[Kotters]

There are common sense ways to thwart pure letter dictionary attacks:-

1. Include a word you can easily remember but isn't a normal word included in a typical password cracking "Word List". Maybe the name of a memorable website, movie, an unusual song / artist, or the name of a brand. Eg, "Idiocracy", "Techspot" or "The Bonzo Dog Doo-Dah Band" are highly unlikely to be found inside most Word List dictionaries.

2. Obfuscated words. Words that sound the same but are spelt differently. Eg, unless specifically included, "Def Leppard" would not be cracked with a dictionary with normal words "deaf" and "leopard" in it. The less common the pop-cult reference, the better.

3. Instead of all lower / upper case, you just write in normal "sentence case". ie, capitalize the first letter of the first word plus the names of any people / titles (instantly forcing a 52-letter alphabet instead of a 26-letter). Although it won't drive up complexity exponentially like a brute-force attack, the need to test multiple capitalized variants (lowercase / uppercase / title case, etc) of multiple word combinations still makes it +10x harder.

4. Keeping with "sentence case writing", add a . at the end of the last word as if it were the end of a sentence. Or use words with memorable but substituted punctuation (eg, "Cruisin'" or "Lovin'" instead of Cruising or Loving), rendering dictionary attacks that focus purely only on letters useless.

5. Merging natural word-pairs. "Driving" + "License" or "Sikorsky" + "helicopter" may both show up as individual words in a dictionary attack. But how about "DrivingLicense" or "SikorskyHelicopter"? Obscure enough that it simply isn't in any Word List by itself, whilst turning it into "I have a clean DrivingLicense." or "I've flown in a Sikorskyhelicopter." increases password length to 30-35 characters, making it exponentially difficult vs brute-attacks whilst simultaneously screwing up the "wordiness" of the individual words vs dictionary attacks.

So instead of "we love reading books", you put "We love reading Techspot.". The end period alone instantly causes problems for pure dictionary attacks using only letters, the use of 1 or 2 Capital letters in normal "sentence case" increases complexity, whilst the use of an unusual and unique brand-name (already formed by 2 different words "Technology + Spotlight") would thwart many dictionaries altogether if it weren't specifically included. The overall combination of this stuff still makes multi-word alphabetic pass-phrases far more secure than 1-word alphanumeric passwords, whilst keeping in with the spirit of remembering easy word phrases without forced numbers or out of place symbols.

The issue is that the comic doesn't even mention the possibility of a dictionary attack, let alone mention obfuscation of the words. It also doesn't talk about how to generate a random set of words. Using a phrase or logically-correct sentence greatly reduces the difficulty of cracking too, though it does require the attacker to know the nature of the password, or guess the nature correctly.

 

[Misagt]

The use of common words in a password is equally as dumb. Notice in the comparison above how they state that using more characters and common words as more effective when against a brute force attack. The Huge drawback is that if they try a dictionary attack, it will take much less time.

A brute force attack works by checking every possible combination down to the character while a dictionary attack only uses words, phrases, ect.

From wiki on Brute Force

"When password guessing, this method is very fast when used to check all short passwords, but for longer passwords other methods such as the dictionary attack are used because a brute-force search takes too long. Longer passwords, passphrases and keys have more possible values, making them exponentially more difficult to crack than shorter ones."

https://en.wikipedia.org/wiki/Brute-force_attack

In other words, making your passwords short with jumbled characters or long but with easy to remember words are both poor methods to make passwords. Each has had a decoding method in place for a long time now that works specifically well on them. Your best bet is to either combine both jumbled and long or implement a simple shift cipher, preferably an extended shift cipher. Shift Ciphers are one of the most simple Ciphers out there and are easy to implement and remember.

This is correct it's why using making a pass phrase is a good idea a very simple one would be "Iwork@ABC123" or "@werkW/*****s925" If you formulate a system in your mind of how you create your passwords it's easier for you to remember and very hard to break.

 

[jtveg]

Password input systems should not be susceptible to brute force attack methods, they never really are anyway. After 3 or 4 incorrect attempts you are locked out temporarily and after a couple more, the delay between retries increases exponentially or you are simply locked out completely.

The point of putting in letter substitutions, numbers or special characters is so that another human being can't randomly guess your password.

 

[jtveg]

Yes, the big hitters on the internet are STILL abiding by the stupid rules of including numbers and other symbols to be 'more secure' or we don't sign you up!

They've not caught on that having to move to another keyboard several times when entering a password on a touch screen mobile device is a real chore. And people just vote with their feet and use a more friendly service instead of theirs.

You don't have the number row always visible on your mobile QWERTY keyboard?

http://i1-news.softpedia-static.com...ak-App-Enhances-iPhone-Virtual-Keyboard-2.png

 

[Ascaris]

Second, I'm not sure what you mean about the link not providing any evidence that the 8-16 character passwords seldom end up being random. The link points directly to Rob's article on the most commonly used passwords. The top ten most common passwords are anything but random characters, not to mention the fact that since they are common they by definition cannot be random. I'm not sure you read that sentence right, or is there a typo I can't see?

That is what I am saying too; the passwords in the most-common list were clearly not attempts at creating random passwords at all. When you wrote, "Instead of a string of eight to 16 random characters, which never end up being random," it was specified directly that we were speaking of "a string of eight to 16 random characters." "Password" or "11111111" are not strings of random characters by anyone's estimation, so the rest of the sentence doesn't appear to apply to them.

After seeing that statement about random passwords that end up not being random, I was interested in knowing how that would be, or even how it could be asserted that the level of entropy was somehow less than expected-- perhaps people are making up what they believe to be random strings from their minds, but the "random" characters actually follow a predictable pattern? Or maybe the RNG simulation algorithm(s) in common use generate more predictable output than expected, since they are not truly random. How else could a "random string of eight to 16 characters" end up not actually being random?

I see what you intended now, but I thought you were writing of a failure of randomness to be truly random, not of people disregarding password suggestions. As a person who does use unique random passwords, the idea that they were not as random as I had been led to believe caught my eye.

As for people who use passwords like "11111111"... Such people are not in a security mindset, and they tend to view computers as tools to get a job done, like a hammer for a carpenter... and no one worries about the security of a hammer. It's just a tool, right?

 

[Cal Jeffrey]

I see what you intended now, but I thought you were writing of a failure of randomness to be truly random, not of people disregarding password suggestions. As a person who does use unique random passwords, the idea that they were not as random as I had been led to believe caught my eye.

HAHA. I see where you are coming from now. For a minute I seriously thought your were reading a different article. lol But no. I was indeed referring to people's inability or unwillingness to create passwords that are random strings (I was not referring to RNGs at all). I was using Rob's article as a case in point, e.g., "People are lazy and don't use random passwords: See here? Look at the most common passwords (non-random)." It's clear once your mind is looking at it from the other perspective.