The Man Who Wrote the Password Rules Regrets Doing So

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

Cool of him.

[captaindomon]

I have to say that's really cool of him to come out and say that. Awesome for somebody to be able to admit they are wrong, as we are all wrong at different times. Way to go!

Re: Cool of him.

[Anonymous Coward]

"I was wrong" is one of the most powerful things you can say. Many find it very difficult, but it becomes easier with practice. The people who would have the largest positive impact on the world by saying this are politicians, but sadly they are also among the least likely to be able to say it.

Re: Cool of him.

[JohnFen]

Oh, hell, I'm wrong several times every day. Just like nearly 100% of the human population. I do often marvel, though, at how rare it is to hear someone face up to it.

Finding out that you're wrong is a moment to celebrate, not something to be embarrassed by. It marks a moment when you've become just a little less ignorant about something.

As the old saying goes, I've never learned anything from being right.

Re: Cool of him.

[ShanghaiBill]

In America, if you admit to making a mistake, your statement may be used against you in a lawsuit. It is best to consult with an attorney before making any admission.

Re:

[LunaticTippy]

I think you're misguided here. Most people will never be sued, so they are free to admit mistakes without repercussion. Then there are people who are never ever wrong who get sued constantly, many thousands of times. There is a certain President who comes to mind.

Re:

[tlhIngan]

Most people will never be sued, so they are free to admit mistakes without repercussion.

One of the problems is the blame game. It used to be standard that if something went wrong, someone needs to be blamed for it. Said person is usually fired or reprimanded,

Of course, current methodology is far less blame and more how to fix it and prevent it from happening again.

Re:

[Solandri]

That's actually the point of the "what's your biggest weakness?" and "describe your greatest failure and how you overcame it" job interview questions. Interview guides treat it as a way to demonstrate how you overcome setbacks. But the real point is to test your honesty. A dishonest applicant will claim they don't have a weakness, or that they've never made a mistake. (I just wish more people knew this so they could apply it to politicians.)

As the old saying goes, I've never learned anything from being

Re:

[F.Ultra]

That is because as a politician the public will never reward you for admitting that you where wrong, it will only be used by the opposition as a proof that you are always wrong.

Re:

[Wootery]

Reminds me of a line from The Mythical Man Month.

It is a very humbling experience to make a multimillion-dollar mistake, but it is also very memorable.

Re:

[decep]

I am not really disagreeing with you, but I do not think he was wrong. I mean, he is wrong *now*, but he was not wrong for 2003. Password security was atrocious in the late 90s.

Perhaps Bill Burr's password rules were more of an over-correction due to the piss-poor password management of the era.

Re:Cool of him.

[93 Escort Wagon]

The real problem is that, in 2017, so many web sites and institutions are still forcing users to comply with the exact same set of 2003-era rules.

Re: Cool of him.

[Anonymous Coward]

The rules are kind of a good idea. At least they eliminate all the passwords that would fall to a brute force attack in under 5 minutes. This ensures an attacker must spend more than 5 minutes breaking in. The catch? Nobody is watching and you have literally years to keep guessing.
The problem is not password rules, the problem is there is no active security team looking over things anymore. It's all been "automated" except it hasn't...they just act like it has.

Re:

[kwbauer]

Because they aren't reading the current NIST recommendations. That is not the fault of NIST or Bill Burr. if we are going to say that something cannot have been good in its time because some people refuse to move beyond that, then we are in for a world of pain because we will do nothing more than enforce the status quo.

Re:

[AmiMoJo]

We seem to have a de-facto standard .js library for everything, except the most important security stuff like password validation and storage.

Re:

[F.Ultra]

Well his rules that you should rotate your password was wrong both then and now.

Re:Cool of him.

[ozduo]

I thought I was wrong once, but then I realised I was mistaken.

Re:

[pubwvj]

Fortunately a lot of banks and other web sites are now catching on to the fact that changing passwords all the time and making them so obscure is not helping with security and IS massively blowing up customer service costs as well as frustrating customers unnecessarily. There was a time when all my banks and lots of other institutions forced me to change my password every month or few months. There isn't a single one that requires that anymore.

Better yet is that Apple's Safari, MacOS, iOS and probably Windo

Re:

[Applehu Akbar]

But more constructive than just admitting being wrong would be to indicate how to put things right. Allow people to use phrasal passwords, for one, and cooperate with the randomized generators offered by password management apps, and users will be encouraged to use better passwords.

Re:

[jellomizer]

The problem is when other people take the things that you did wrong in the past to prevent you from contributing your new idea, which may be right.

While progress is made from making mistakes learning from these mistakes and make a better plan. Our culture is looking for Mr. Perfect who makes no mistakes, who will come to save the day.

This is like a congressman making a bill, and states this bill if effective should meet these criteria to be consider a success, if it doesn't meet the criteria or has some pr

At least he can admit it

[Anonymous Coward]

My university recently instituted this retarded system that we have to change every 90 days.
And they remember the last 5 or so hashes (one can only hope they don't remember the actual password), so you can't even switch back and forth.
Absolute bullshit.
I remember my dad just changed his every month and he just had MMYY at the end of every password.

Re:At least he can admit it

[zippthorne]

Exactly. It's not difficult to get passwords wrong, even Bruce Schneier is wrong about passwords - see his criticism [schneier.com] of the XKCD method [xkcd.com]:

Re:

[KeithIrwin]

By and large, though, the exact technique outlined in xkcd doesn't work. It's not enough bits of entropy. It's better than the approach it's comparing to, but the assumption of 1000 password guesses per second is not accurate for offline cracking, which is what we're worried about. A good password cracking rig can crack 100 billion passwords per second if they're encrypted using something like NTLM (which many Windows networks use in addition to their primary hash for backwards compatibility) or md5 or t

Sigh.

[ledow]

LONG PASSWORDS.

The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be compromised. If your system LETS you try trillions of passwords, it's game over whether you change every week or not.

Re:

[Thad Boyd]

As far as I've observed in Android, autocomplete doesn't work on password prompts. This is one of those things that seems like a good idea but isn't, because it discourages passphrases made up of common English words.

Now, some autocomplete features -- like training the keyboard to predict the next word based on commonly-used combinations -- shouldn't work in password prompts, obviously. But just being able to predict a common word based on the first couple of characters (or swiping) should.

Re:Sigh.

[vux984]

The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

Quite so.

Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

Sort of. Except averagte people aren't choosing random alphanuemeric passwords and adding a letter. They are choosing from common dictionary words; usually from lists of 2000 to 60,000 at best.
puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule.

Not changing your password every X days is also junk and leads to that one time you gave it to your assistant in 2003 because you were home sick still being valid and he still can login and check your messages even though your the VP of operations now and he's working with a competitor.

If your password hasn't been compromised in a reasonable time, it's not going to be compromised.

And if it has ever been compromised, then it stays compromised. That's not good either.

, it's game over whether you change every week or not.

It does keep your ex-assistant from 10 years ago out of your email though.

Re:Sigh.

[Falos]

puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

This. correcthorsebatterystaple is a four-letter password in a bigger alphabet* without mods. Most of which offer little resilience gains for their complexity tax.

superman is a weak password
Sup3rm@n is equally weak, fuck your fucking retarded website
so0p!$erm^an is strong but has too much complexity tax

More recall tax means its going to be 1) reused more [the true pox] 2) forgotten more 2) changed less often 4) more likely to be written down, under keyboards, notecard, stickies. Mental recall is only good for N passwords with Z complexity, even less if you have to start all over again at F frequency.

rrrybgdts is a nursery rhyme. I will always advocate for passphrases. Does your child like spongebob and Bob the Builder? Don't use his birthday; wliapcwfi will never be in the tables. I find this to be the best resilience-complexity tradeoff possible.

*yes, I know, it's still resilient by being at the fourth power, but it's more abstract than phrases and more complexity tax = more bad practice. Get over the length hype, cracker tables don't give a fuck, no one brute forces past ~6 = wasted fucking lesson.

Re:

[Antique Geekmeister]

In reality, the mixed case and punctuation is more difficult to crack, according to experience with the old "crack" tool published by Alec Moffett in 1991. It did very well against single word passwords based on a dictionary attack. It had far more difficulty with multiple obscuring techniques applied against even a single word.

I'm afraid that similar vulnerabilities exist against even lengthy passphrases if the word or phrase is too common. The passphrase "correcthorsebatterystaple" is now vulnerable becau

Re:

[vux984]

In reality, the mixed case and punctuation is more difficult to crack

Agreed much more difficult. Which is expected. 10,000 common words is a blink of an eye. 10,000 common words with a number and punctionation mark at the end is in that order (first a digit, then a punctionation mark) is closer to 1,000,000 possibilities. If you allow for the punctionation mark to come first, or either or both to be at the beginning of the word... it jumps to 16 million or so variations. if the first letter is capitalized that's 32 million, if any letter is capitalized ... if multiple letter

Re:

[aberglas]

Nonsense.

Most people just put 1! at the end. And start with a captial letter.

Long passwords are better.

The reason for the rules, I've always assumed, is that many early systems did not accept more than 8 characters for a password, or silently truncated. I think early Unix did the latter. So long passwords were not possible.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[AmiMoJo]

We focus too much on coming up with strong passwords, when we should really be focusing on what the actual threats to those passwords are.

For online services the biggest danger is that someone will steal the password database and crack the password hashes, assuming they even are hashed. The best defence is therefore to use a long, random password and keep it in a password manager. It's also fine to let your browser remember it for you, if your computer is reasonably secure.

Now you only need to remember a co

Re:Sigh.

[ledow]

STOP PASSWORD SHARING.

If you need your assistant to see your email, adjust the permissions so he can.

And remove them when you're done. Or they are automatically removed when he's sacked and the account is disabled.

Password sharing is the dumbest way to give someone access. And a disciplinary offence in most places because it's counter to the data protection act.

Re:Sigh.

[0100010001010011]

These annoying password rules are what prevent me from just using a hash as my password.

echo -n $SALT+$USERNAME+$URL | sha256sum makes some great long passwords.

Good brute force defense. Easy to remember and could be generated by hand if necessary.

Plus when a site gets hacked or stores passwords plain text my password is useless elsewhere.

Re:

[Gunstick]

make it base64

echo -n $SALT+$USERNAME+$URL | openssl dgst -sha256 -binary | openssl enc -base64

upper, lower, numbers, special (the = sign), long

Not entirely correct.

[piojo]

The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

I only checked for 6-8 digit passwords, but having upper case letters allows far more different combinations than adding an extra character. You're correct if you consider the small-alphabet version to already have upper and lower case letters--in that case, adding an extra character gives more possibilities than allowing ASCII special characters.

Re:

[ledow]

You mean, the 6-8 digit passwords that are basically useless? Exactly my point.

256^6 = 281 trillion combinations (i.e. Full ASCII, including unprintables / untypeables, but only 6 characters long, so basically the best 6 character password ever).

62^9 = 13,000 trillion combinations (i.e. upper and lower case letters, plus digits, but 9 characters long, orders of magnitude better, and not touching anything approaching a symbol).

Guess which one is easier to type, easier to remember, more acceptable in a passw

Obligatory XKCD

[jcochran]

Those who require passwords really ought to take a look at it.

https://xkcd.com/936/ [xkcd.com]

Re:

[freeze128]

...and *NOT* implement that scheme! Hackers are already using 4-word dictionary attacks. (They read xkcd as well.)

Re:

[Dagger2]

Why is this a reason not to do it? The entropy argument in the comic is already done with the assumption of full knowledge of the pattern.

Re:

[Biogoly]

Dictionary based passwords such as correcthorsebatterystaple (chbs) are definitely along the right track...however, XKCD actually gets it wrong here. If you disregard web-based attack and are just talking hash-cracking, chbs is actually a trivially easy password to crack...even with hashes much slower than MD5 (but not bcrypt slow). All four words in chbs are found in the wiki top 10k words lists...so if you utilize a dictionary combination attack and set for four words, it would take a maximum of 10000^4

Re:

[sexconker]

A standard US keyboard has 96 symbols on it. A lot of systems won't let you use space or tab, or a handful of other characters for some reason. Call it 90.

An 11-character random password using a 90-character alphabet beats out a 4-word password from a dictionary of 170,000 words.
The 170,000 word dictionary scheme has the additional problems of many passwords being identical (the meat sucks hit | them eat suck shit) and many of the passwords being too long to be used (a shitty limitation, yes, but a real one

Re:

[fnj]

But nobody could memorize 11 random characters, while anyone can easily memorize 4 random words. So the comparison is unfair. To be fair you have to compare 11 random characters with 11 random words, or 4 random characters with 4 random words.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[jordanjay29]

None of the people making these decisions were technicians, of course.

When are they ever?

Crock of Sh*#!

[s.petry]

This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time.

Password enforcement was a constant problem 20-30 years ago, but we all had policies.

The short duration of a password was not some arbitrary number based on "mah ego", it was based on a majority of systems which could not handle a password longer than 8 characters.

I didn't invent the password policy, but by this claim I sure as hell could.

Oh, and password policies are as important today as they were back then. Go ahead and claim your fingerprints [sciencefriday.com] are fool proof!

Re:

[geekmux]

This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time...

Like you, I've been doing this for a very long time now (decades).

The average person (user) is stupid and ignorant.

Intelligent people have known this for centuries. No one alive can take "credit" for that discovery, but it's not exactly a falsehood for the author of a NIST standard to come forth and apologize for making that assumption.

"Oh, and password policies are as important today as they were back then."

I've worked with the stupid and ignorant for a very long time. The ones that still refuse to back up their systems after the third hard drive failure. The ones that st

Re:

[s.petry]

No, you are missing the point! This type of claim and person frustrate and infuriate me for the same reason Al Gore and his claim to Internet creation frustrate and infuriate me. NIST did not invent password policies, they adopted INDUSTRY STANDARDS developed by the Community long after the community did all the work. In fact, I'd be willing to bet that if you search the Slashdot archives, you would find discussion on NIST _finally_ adopting standards. Just like the Internet was the advent of numerous c

1 letter change

[irrational_design]

My work requires us to change our passwords every 90 days. I've had the same password for the last 15 years with the exception of one letter of the alphabet that goes from a to b to c... I'm on letter g right now. I've rotated through the alphabet a number of times and still get a thrill when I rotate from z back to a.

Re:1 letter change

[93 Escort Wagon]

Here is your current password: Pzssw0rd1

(Don't worry - while you'll see your password in plain text there, all the other Slashdotters will see a string of asterisks like this: *********)

Re:

[93 Escort Wagon]

That's weird. I'm seeing hunter2 on my screen instead of asterisks.

That's because "hunter2" is your password.

People who are logged in will see their own password; those who are not logged in will see only asterisks. Sorry that I didn't adequately explain that.

Re:

[jcochran]

I could easily imagine a system that does this...
1. Maintain the hash of the previous N passwords (say N > 5)
2. Require all the BS rules of number of character classes, length, etc.
3. Require that the new password have a Levenshtein distance > X from your previous password (With X being a significant fraction of the password length and it would know your previous password since you'd need to enter it to verify your identity before setting your new password).

But frankly, it would still be weaker than s

Re:

[sexconker]

"It" is being passed your current password when logging in. "It" can choose to do whatever it wants to with it, including broadcast it to the world.
If "it" wants to keep it unhashed in memory for a while to make sure you don't do something stupid when choosing a new password, "it" certainly can.

Re:

[whoever57]

At a former employer, we were required to change our passwords every 90 days. You could not define your own password, instead, only select one from a list presented to you, but....

Each system (IBM mainframe) had its own copy of your password. You could push your password from one system to the others.

I found that the generation of new password choices was not remotely random and that, by changing my password, pushing it out to other systems, then logging onto a remote system and going to the password change

Re:

[jordanjay29]

Selecting from a pre-determined list of passwords sounds like a security nightmare.

Re:

[Antique Geekmeister]

I've seen the like. It was implemented so that managers could see the work, and the email, of their personnel.

Re:

[whoever57]

I suspect that the list was pseudo-random, with using a seed that was based on the current password. Someone probably thought that if they used the current password to generate new passwords, that would ensure that the new password was different. The passwords were only 4 characters. This was decades ago.

I am not sure that my description of the hack is entirely accurate.

Re:

[roc97007]

One place I worked, for some bizarre reason we all had to set our passwords in RACF and they'd be somehow propagated from there to Windows and Unix boxes. (This was probably early to mid nineties.) It was company policy. There had to be letters and numbers and one capital letter and it had to be changed every 30 days. Yes, not 90, 30. Someone figured out that Jan1993, Feb1993, Mar1993, Apr1993 and so forth met the monthly requirements, the password rules, and never repeated.

So we all started using that

Re:

[jcochran]

I would be really really worried if they had a requirement that your new password not being too similar to the previous 4 passwords. Reason is quite simple, in order to do that, they would need to actually store your previous passwords such that the plain text is retrievable. Not just the salted hashes of your previous passwords. But then again, I have see a system that actually did store your password in plain text ... IBM VM/CMS. The "directory" that assigned mini-disks to each account and the account pas

Re:

[jordanjay29]

It could also depend on the hash function, if similar combinations produced the same hash then it would be easy enough to determine similarity. Plus you can do other things like saving statistics about the password before hashing it and losing the plain version forever, like recording length, counting characters and types, etc. Compare that to the new password and look for similarities. It may mean a few more false positives, but if the password guidelines you're enforcing are absolutely strict about no pas

Re:

[kwbauer]

What only 2 strikes? Does the AC want to try for a third. I just don't see how having deep feelings for another human being is considered bad. Nor why working for the same company for a long time is bad as long as the company is doing something you believe to be worthwhile and you enjoy the work. It isn't like most tech jobs are as repetitive as putting windshields in cars on the assembly line. To the extent that they are repetitive, that won't change from one company to the next. The only difference would

Re:

[irrational_design]

Why? I have an amazing boss, terrific benefits, great coworkers, tons of vacation time, I can show up and leave whenever I want, I can work out for 2 hours during the work day at one of the on-campus gyms (I typically show up at 9, work out from 11:30 to 1:30, then go home at around 5), enjoy my work, have top of the line hardware and can purchase anything else I need, and they pay me a hefty six figure salary. I seriously can't find any downsides to this job that would cause me to ever leave unless forced

He deserves to go to Hell!

[tinkerton]

Where there is weeping, and gnashing of teeth. Also they use his system of passwords, the wifi signal is always just out of reach and the coffee is made in percolators that go on forever.

Not clearly stating password requirements UP FRONT

[Traf-O-Data-Hater]

My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front. So it only tells you after you've entered something you think may be acceptable, and you've then lost that train of thought and are forced to figure out something new.

Re:

[GodfatherofSoul]

I'm more annoyed when sites require passwords that aren't in line with the kind of data they're holding. I don't want to have to remember a banking-safe password when I'm trying to log into a fart jokes website.

Re:

[sconeu]

Another one along the same lines is needing to come up with a password when you don't need one.

If I'm making a one-shot purchase from your website, there is NO F*CKING NEED FOR ME TO OPEN AN ACCOUNT!!! Why are you forcing me to create an account?

Re:

[Green Salad]

Those of us interested in tracking every detail of your single-purchase behaviors...then selling that info to another entity...strongly disagree that there isn't a need to force you to voluntarily register and create an account. Despite your tone indicating that you disagree with this practice, our records clearly show you clicked "I agree."

Re:

[nukenerd]

If I'm making a one-shot purchase from your website, there is NO F*CKING NEED FOR ME TO OPEN AN ACCOUNT!!!

Insensitive clod! Don't you realise that people like you are destroying the internet!

Re:

[kwbauer]

I would be more embarrassed if somebody could prove I had an account on a fart jokes site than if they stole money from my checking account.

Re:

[El Cubano]

Yet more annoying is sites that prevent you from Control-V paste or middle-click paste. Come on! I want to be able to generate a 32 or 64 character gobbledygook password in KeePass and just paste it in there.

Some sites screw it up and prevent either Control-V or middle-click, but not both. But those are rare. Seriously, web developers, it doesn't help anybody to prevent pasting into a password field.

The worst was one financial-related site that I had to use that not only did not allow you paste into the

Re:

[Thad Boyd]

Algorithms for determining password strength are uniformly terrible, too. I once set up an account in Plesk and it rejected K"Nb\:uO` as too weak but accepted P@55w0rd without complaint.

Re:

[F.Ultra]

Or sites where they accept an unlimited length in the setup but silently truncates to some arbitrary length and then when on the login page they accept an unlimited length again but this time compares your entered password with the truncated one and you get a mismatch even with copy+paste. Have stumbled on a few of those.

This is not news to many sysadmins

[chispito]

This is not a news to many sysadmins. Some of our managers even get it as well.

None of that matters in the face of regulatory compliance.

Bill Burr...

[zm]

...also suggested using cruise ships for population control.

Pa55word!1

[dohzer]

Ladies and gentlemen, I think I've found my new password!

Re:

[nukenerd]

Ladies and gentlemen, I think I've found my new password!

But that's mine.

Stop Apologizing

[geekmux]

""In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well...

In other words, he did what a lot of us have done; assumed people were actually smart.

He should stop apologizing; intelligent people have been doing that for centuries.

Finally

[markdavis]

I have had to fight our auditors every year for decades about stupid password ageing rules. I refused to implement them and said it would LOWER security while simultaneously pissing off users and lowering productivity. Each year I added more references to articles from people who agreed with me, just in case.

Maybe now they will finally believe me?

It's regulations, not the auditor bot

[Bruce66423]

I think you will find that auditors are measuring compliance with an externally set standard, not affirming that you are doing the wise thing. So you're shooting the messenger, which is seldom productive.

measuring policy complexity

[roc97007]

I strongly suspect that one way to measure how onerous the password policy is in a particular environment is to go through the office flipping up keyboards. The metric would be as a percentage of yellow stickies with passwords stuck underneath. You could weight the metric by the size of the penalty for writing down your password.

Re:

[sims 2]

Ours are on a sticky note stuck to the monitor.

I've read this before

[filesiteguy]

As it is, I have the stupid policy at work. I simply change my password from ******** to ******** and everything is good.

How About an Update!?!?

[LeftCoastThinker]

soooooo..... update the damn thing and go on the 8pm news and get the word out that those rules and the stated schedule for changing passwords are both BS and give some reasonable guidelines (like 4 random words strung together) along with having the industry standard of an exponentially longer timeout after 3 wrong guesses (or just locking the account and/or blocking the IP address (or range) the bogus attempts were coming from, depending on your need for security)... and a million other better solutions t

Bill Burr?

[blind biker]

HIs password policies suck. No wonder he changed careers. [youtube.com]

Symbols not such a bad idea

[Khyber]

Increasing your character set makes it harder to run brute force attacks and even randomly guess a password, even when the increase in character count is fully known.

Changing every 90 days was a bitch, though, agreed.

In the very olden days

[slickwillie]

I managed to get the root password on a Unix system to include a backspace. Then the login program wouldn't take it.

There is a special place in Hell for him.

[nsaspook]

The password hell is where he belongs. Always one more complex password for that ice cold drop of water.

A good password

[Murdoch5]

64 characters, symbols, letters, numbers, capitals and lower case. Change them at least once a month, never use the same password twice and use random generation as much as possible. If you can, you don't just use a password, use at least 2FA, if not MFA (I have servers with 4FA+ on them.

Re:

[4wdloop]

And how do you remember 64 characters, symbols, letters, numbers, capitals and lower case passwords?

You have a password generation system, don't you?

Re:

[swilver]

That's just not good enough.

A decent system just generates your password and gives you 30 seconds to remember it. How you can trust people to think of their own 64 character password is beyond me.

Password incentives

[ai4px]

We are all guilty of using P@assword1, P@ssword2, etc.... but I can't keep committing a complex password to memory every 90 days. So here's the deal... let the user decide. Users are free to pick simple passwords and the system will decide to make them change those passwords every 90 days. If the user picks a complex password they won't have to change it again. My bet is that the users will come up with a /great/ complex password ONCE.

Reject new PW if too similar?

[WoodstockJeff]

5 years ago, our client insisted that we implement this sort of mischief on one site, with a 30-day change rule. One of the requirements was to check that the new password was not previously used or too similar to a previously-used PW.

"How does that work when you also tell us we cannot save the PW in plain text?"

To their credit, they admitted that it wasn't possible to comply with all the rules. But they have not yet relented on the 30 day change rule.

Which bit them big time during one of their security sweeps - the PW for the scanner's account "expired" part way through the testing. The subsequent lock-out for excessive failed login attempts was then interpreted as "server becomes unresponsive if excessive characters are injected at login." (we'll accept up to 32MB for passwords)

Re:Reject new PW if too similar?

[F.Ultra]

So they never saw any problems with "check that the new password was not previously used or too similar to a previously-used PW" besides the non plain text storage? Best solution would of course to go one step further:

"You have entered the password "sdfsdfwefjsfj", unfortunately this is already used by user "charlie23" so please choose a different one".

Re:

[Pseudonym]

And checking that it's not too similar to the most recent password is straightforward, since most "change password" interfaces ask for the most recent password at the same time.

Re:

[Anonymous Coward]

So it's easy! You must change password every 30 days, and to do so, you must type your previous 19 passwords.

Re:Reject new PW if too similar?

[flink]

Couldn't you just encrypt the plain text password history using a key derived from the current password? Then when attempting to change the password, you use the old password to decrypt the list and compare the desired new password to the history file using whatever likeness algorithm you like. If the new password turns out to be acceptable, re-encrypt the history using a new PBK based on the new password.

Re:

[tap]

Apply a password fuzzing algorithm to the new password. For instance, decrement the final character of the password. If their new password is "Password2", then hash "Password1" and see if it matches an old password. There's probably a tool somewhere used by hackers that attempts to guess new passwords from old passwords. Copy that fuzzing algorithm so any new password that 3litesec PWGuesser ScriptKiddie Pr0 will come up is checked for similarity and rejected.

Re:

[kwbauer]

Which means that you work system is storing your password in a recoverable form which is an even worse situation than having meaningless complex rules about what a password can look like.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[arth1]

Seriously, he expected people to remember complicated passwords and then change those complicated passwords every 3 months... Forget that.

He also didn't understand that by imposing and publishing requirements, he made life a lot easier for crackers. If you know a password has to contain at least two lower case letters, one upper case letters, one digit and one symbol, you have reduced the possible passwords you have to check to a tiny fraction of the original. A password that could take years to crack suddenly falls within days or hours because the requirements have reduced the number of combinations significantly.