NIST Unveils Major Overhaul of Global Password Security Standards
In an interview published by the Wall Street Journal (WSJ), Bill Burr, the 72-year-old retired former manager at the National Institute of Standards and Technology (NIST) discussed the document he created that ultimately served as the standard by which most major enterprises set their password protocols.
The eight-page document, NIST Special Publication 800-63. Appendix A, included such tips as changing passwords every 90 days, and requiring particular combinations of lowercase and uppercase letters, numbers, and special characters.
WSJ calls it “a sort of Hammurabi Code” for password creation, with the piece noting that humans spend more than 1,300 years per day, cumulatively, on the mere act of typing in passwords.
In the new security guidance, “long, easy-to-remember phrases now get the nod over crazy characters, and users should be forced to change passwords only if there is a sign they may have been stolen.”
The new rules are based on studies that indicate “using a series of four words can be harder for hackers to crack than a shorter hodgepodge of strange characters—since having a large number of letters makes things harder than a smaller number of letters, characters and numbers,” referencing a relevant post from the popular webcomic XKCD:
The rules Burr drafted inadvertently “spawned a generation of widely used and goofy looking passwords such as Pa$$w0rd or Monkey1!” the frequency of which, across the wider population, made passwords easier to guess, not more difficult.
Though Burr says he now regrets much of what he proposed in the 2003 document, and Paul Grassi – the leader of the process to create the new standards – conceded that the team “ended up starting from scratch,” Grassi suggests Burr should not be so critical of the standards he helped formulate.
“He wrote a security document that held up for 10 to 15 years. I only hope to be able to have a document hold up that long.”
Posted in General News