Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Communications Government Network Privacy The Internet United States

The Man Who Wrote the Password Rules Regrets Doing So (gizmodo.com) 239

New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."
This discussion has been archived. No new comments can be posted.

The Man Who Wrote the Password Rules Regrets Doing So

Comments Filter:
  • Cool of him. (Score:5, Insightful)

    by captaindomon ( 870655 ) on Tuesday August 08, 2017 @06:14PM (#54969459)
    I have to say that's really cool of him to come out and say that. Awesome for somebody to be able to admit they are wrong, as we are all wrong at different times. Way to go!
    • Re: Cool of him. (Score:5, Insightful)

      by Anonymous Coward on Tuesday August 08, 2017 @06:22PM (#54969519)

      "I was wrong" is one of the most powerful things you can say. Many find it very difficult, but it becomes easier with practice. The people who would have the largest positive impact on the world by saying this are politicians, but sadly they are also among the least likely to be able to say it.

      • Re: Cool of him. (Score:5, Insightful)

        by JohnFen ( 1641097 ) on Tuesday August 08, 2017 @06:28PM (#54969575)

        Oh, hell, I'm wrong several times every day. Just like nearly 100% of the human population. I do often marvel, though, at how rare it is to hear someone face up to it.

        Finding out that you're wrong is a moment to celebrate, not something to be embarrassed by. It marks a moment when you've become just a little less ignorant about something.

        As the old saying goes, I've never learned anything from being right.

        • Re: Cool of him. (Score:5, Interesting)

          by ShanghaiBill ( 739463 ) on Tuesday August 08, 2017 @06:52PM (#54969771)

          In America, if you admit to making a mistake, your statement may be used against you in a lawsuit. It is best to consult with an attorney before making any admission.

          • I think you're misguided here. Most people will never be sued, so they are free to admit mistakes without repercussion. Then there are people who are never ever wrong who get sued constantly, many thousands of times. There is a certain President who comes to mind.
            • by tlhIngan ( 30335 )

              Most people will never be sued, so they are free to admit mistakes without repercussion.

              One of the problems is the blame game. It used to be standard that if something went wrong, someone needs to be blamed for it. Said person is usually fired or reprimanded,

              Of course, current methodology is far less blame and more how to fix it and prevent it from happening again.

        • That's actually the point of the "what's your biggest weakness?" and "describe your greatest failure and how you overcame it" job interview questions. Interview guides treat it as a way to demonstrate how you overcome setbacks. But the real point is to test your honesty. A dishonest applicant will claim they don't have a weakness, or that they've never made a mistake. (I just wish more people knew this so they could apply it to politicians.)

          As the old saying goes, I've never learned anything from being

      • That is because as a politician the public will never reward you for admitting that you where wrong, it will only be used by the opposition as a proof that you are always wrong.
      • Reminds me of a line from The Mythical Man Month.

        It is a very humbling experience to make a multimillion-dollar mistake, but it is also very memorable.

    • by decep ( 137319 )

      I am not really disagreeing with you, but I do not think he was wrong. I mean, he is wrong *now*, but he was not wrong for 2003. Password security was atrocious in the late 90s.

      Perhaps Bill Burr's password rules were more of an over-correction due to the piss-poor password management of the era.

      • Re:Cool of him. (Score:5, Insightful)

        by 93 Escort Wagon ( 326346 ) on Tuesday August 08, 2017 @06:35PM (#54969635)

        The real problem is that, in 2017, so many web sites and institutions are still forcing users to comply with the exact same set of 2003-era rules.

        • Re: Cool of him. (Score:2, Insightful)

          by Anonymous Coward

          The rules are kind of a good idea. At least they eliminate all the passwords that would fall to a brute force attack in under 5 minutes. This ensures an attacker must spend more than 5 minutes breaking in. The catch? Nobody is watching and you have literally years to keep guessing.
          The problem is not password rules, the problem is there is no active security team looking over things anymore. It's all been "automated" except it hasn't...they just act like it has.

        • Because they aren't reading the current NIST recommendations. That is not the fault of NIST or Bill Burr. if we are going to say that something cannot have been good in its time because some people refuse to move beyond that, then we are in for a world of pain because we will do nothing more than enforce the status quo.

          • by AmiMoJo ( 196126 )

            We seem to have a de-facto standard .js library for everything, except the most important security stuff like password validation and storage.

      • Well his rules that you should rotate your password was wrong both then and now.
    • by ozduo ( 2043408 ) on Tuesday August 08, 2017 @06:34PM (#54969631)
      I thought I was wrong once, but then I realised I was mistaken.
    • by pubwvj ( 1045960 )

      Fortunately a lot of banks and other web sites are now catching on to the fact that changing passwords all the time and making them so obscure is not helping with security and IS massively blowing up customer service costs as well as frustrating customers unnecessarily. There was a time when all my banks and lots of other institutions forced me to change my password every month or few months. There isn't a single one that requires that anymore.

      Better yet is that Apple's Safari, MacOS, iOS and probably Windo

    • But more constructive than just admitting being wrong would be to indicate how to put things right. Allow people to use phrasal passwords, for one, and cooperate with the randomized generators offered by password management apps, and users will be encouraged to use better passwords.

    • The problem is when other people take the things that you did wrong in the past to prevent you from contributing your new idea, which may be right.

      While progress is made from making mistakes learning from these mistakes and make a better plan. Our culture is looking for Mr. Perfect who makes no mistakes, who will come to save the day.

      This is like a congressman making a bill, and states this bill if effective should meet these criteria to be consider a success, if it doesn't meet the criteria or has some pr

  • by Anonymous Coward on Tuesday August 08, 2017 @06:19PM (#54969485)

    My university recently instituted this retarded system that we have to change every 90 days.
    And they remember the last 5 or so hashes (one can only hope they don't remember the actual password), so you can't even switch back and forth.
    Absolute bullshit.
    I remember my dad just changed his every month and he just had MMYY at the end of every password.

    • by zippthorne ( 748122 ) on Tuesday August 08, 2017 @09:28PM (#54970949) Journal

      Exactly. It's not difficult to get passwords wrong, even Bruce Schneier is wrong about passwords - see his criticism [schneier.com] of the XKCD method [xkcd.com]:

      • By and large, though, the exact technique outlined in xkcd doesn't work. It's not enough bits of entropy. It's better than the approach it's comparing to, but the assumption of 1000 password guesses per second is not accurate for offline cracking, which is what we're worried about. A good password cracking rig can crack 100 billion passwords per second if they're encrypted using something like NTLM (which many Windows networks use in addition to their primary hash for backwards compatibility) or md5 or t

  • Sigh. (Score:5, Interesting)

    by ledow ( 319597 ) on Tuesday August 08, 2017 @06:26PM (#54969557) Homepage

    LONG PASSWORDS.

    The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

    Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

    And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be compromised. If your system LETS you try trillions of passwords, it's game over whether you change every week or not.

    • As far as I've observed in Android, autocomplete doesn't work on password prompts. This is one of those things that seems like a good idea but isn't, because it discourages passphrases made up of common English words.

      Now, some autocomplete features -- like training the keyboard to predict the next word based on commonly-used combinations -- shouldn't work in password prompts, obviously. But just being able to predict a common word based on the first couple of characters (or swiping) should.

    • Re:Sigh. (Score:5, Interesting)

      by vux984 ( 928602 ) on Tuesday August 08, 2017 @07:38PM (#54970147)

      The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

      Quite so.

      Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.

      Sort of. Except averagte people aren't choosing random alphanuemeric passwords and adding a letter. They are choosing from common dictionary words; usually from lists of 2000 to 60,000 at best.
      puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

      And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule.

      Not changing your password every X days is also junk and leads to that one time you gave it to your assistant in 2003 because you were home sick still being valid and he still can login and check your messages even though your the VP of operations now and he's working with a competitor.

      If your password hasn't been compromised in a reasonable time, it's not going to be compromised.

      And if it has ever been compromised, then it stays compromised. That's not good either.

      , it's game over whether you change every week or not.

      It does keep your ex-assistant from 10 years ago out of your email though.

      • Re:Sigh. (Score:4, Interesting)

        by Falos ( 2905315 ) on Tuesday August 08, 2017 @08:41PM (#54970701)

        puzzle and dynamite are equally good (equally poor) passwords. dynamite isn't length 2 longer than puzzle. Both are length 1 from an alphabet of 2000 common dictionary words.

        This. correcthorsebatterystaple is a four-letter password in a bigger alphabet* without mods. Most of which offer little resilience gains for their complexity tax.

        superman is a weak password
        Sup3rm@n is equally weak, fuck your fucking retarded website
        so0p!$erm^an is strong but has too much complexity tax

        More recall tax means its going to be 1) reused more [the true pox] 2) forgotten more 2) changed less often 4) more likely to be written down, under keyboards, notecard, stickies. Mental recall is only good for N passwords with Z complexity, even less if you have to start all over again at F frequency.

        rrrybgdts is a nursery rhyme. I will always advocate for passphrases. Does your child like spongebob and Bob the Builder? Don't use his birthday; wliapcwfi will never be in the tables. I find this to be the best resilience-complexity tradeoff possible.

        *yes, I know, it's still resilient by being at the fourth power, but it's more abstract than phrases and more complexity tax = more bad practice. Get over the length hype, cracker tables don't give a fuck, no one brute forces past ~6 = wasted fucking lesson.

        • In reality, the mixed case and punctuation is more difficult to crack, according to experience with the old "crack" tool published by Alec Moffett in 1991. It did very well against single word passwords based on a dictionary attack. It had far more difficulty with multiple obscuring techniques applied against even a single word.

          I'm afraid that similar vulnerabilities exist against even lengthy passphrases if the word or phrase is too common. The passphrase "correcthorsebatterystaple" is now vulnerable becau

          • by vux984 ( 928602 )

            In reality, the mixed case and punctuation is more difficult to crack

            Agreed much more difficult. Which is expected. 10,000 common words is a blink of an eye. 10,000 common words with a number and punctionation mark at the end is in that order (first a digit, then a punctionation mark) is closer to 1,000,000 possibilities. If you allow for the punctionation mark to come first, or either or both to be at the beginning of the word... it jumps to 16 million or so variations. if the first letter is capitalized that's 32 million, if any letter is capitalized ... if multiple letter

            • Nonsense.

              Most people just put 1! at the end. And start with a captial letter.

              Long passwords are better.

              The reason for the rules, I've always assumed, is that many early systems did not accept more than 8 characters for a password, or silently truncated. I think early Unix did the latter. So long passwords were not possible.

        • by houghi ( 78078 )

          Passwords and the changes are a technical solution to a social problem.

          The thing is that people treat these password suggestions as if there is only one username and one password. If that where the case, it would be a great idea. The thing is that we all have more than 1 login.

          Just looking at logins and I have several. If I was able to select them myself, they are mostly the same, but then there are the other ones that where given to me. So I need to remember what login or email address I used for what. I

        • by AmiMoJo ( 196126 )

          We focus too much on coming up with strong passwords, when we should really be focusing on what the actual threats to those passwords are.

          For online services the biggest danger is that someone will steal the password database and crack the password hashes, assuming they even are hashed. The best defence is therefore to use a long, random password and keep it in a password manager. It's also fine to let your browser remember it for you, if your computer is reasonably secure.

          Now you only need to remember a co

      • Re:Sigh. (Score:4, Insightful)

        by ledow ( 319597 ) on Wednesday August 09, 2017 @03:26AM (#54972279) Homepage

        STOP PASSWORD SHARING.

        If you need your assistant to see your email, adjust the permissions so he can.

        And remove them when you're done. Or they are automatically removed when he's sacked and the account is disabled.

        Password sharing is the dumbest way to give someone access. And a disciplinary offence in most places because it's counter to the data protection act.

    • Re:Sigh. (Score:5, Interesting)

      by 0100010001010011 ( 652467 ) on Tuesday August 08, 2017 @08:09PM (#54970419)

      These annoying password rules are what prevent me from just using a hash as my password.

      echo -n $SALT+$USERNAME+$URL | sha256sum makes some great long passwords.

      Good brute force defense. Easy to remember and could be generated by hand if necessary.

      Plus when a site gets hacked or stores passwords plain text my password is useless elsewhere.

      • make it base64

        echo -n $SALT+$USERNAME+$URL | openssl dgst -sha256 -binary | openssl enc -base64

        upper, lower, numbers, special (the = sign), long

    • The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.

      I only checked for 6-8 digit passwords, but having upper case letters allows far more different combinations than adding an extra character. You're correct if you consider the small-alphabet version to already have upper and lower case letters--in that case, adding an extra character gives more possibilities than allowing ASCII special characters.

      • by ledow ( 319597 )

        You mean, the 6-8 digit passwords that are basically useless? Exactly my point.

        256^6 = 281 trillion combinations (i.e. Full ASCII, including unprintables / untypeables, but only 6 characters long, so basically the best 6 character password ever).

        62^9 = 13,000 trillion combinations (i.e. upper and lower case letters, plus digits, but 9 characters long, orders of magnitude better, and not touching anything approaching a symbol).

        Guess which one is easier to type, easier to remember, more acceptable in a passw

  • Obligatory XKCD (Score:5, Interesting)

    by jcochran ( 309950 ) on Tuesday August 08, 2017 @06:27PM (#54969569)

    Those who require passwords really ought to take a look at it.

    https://xkcd.com/936/ [xkcd.com]

    • Re: (Score:2, Insightful)

      by freeze128 ( 544774 )
      ...and *NOT* implement that scheme! Hackers are already using 4-word dictionary attacks. (They read xkcd as well.)
      • Why is this a reason not to do it? The entropy argument in the comic is already done with the assumption of full knowledge of the pattern.

    • Dictionary based passwords such as correcthorsebatterystaple (chbs) are definitely along the right track...however, XKCD actually gets it wrong here. If you disregard web-based attack and are just talking hash-cracking, chbs is actually a trivially easy password to crack...even with hashes much slower than MD5 (but not bcrypt slow). All four words in chbs are found in the wiki top 10k words lists...so if you utilize a dictionary combination attack and set for four words, it would take a maximum of 10000^4
      • A standard US keyboard has 96 symbols on it. A lot of systems won't let you use space or tab, or a handful of other characters for some reason. Call it 90.

        An 11-character random password using a 90-character alphabet beats out a 4-word password from a dictionary of 170,000 words.
        The 170,000 word dictionary scheme has the additional problems of many passwords being identical (the meat sucks hit | them eat suck shit) and many of the passwords being too long to be used (a shitty limitation, yes, but a real one

        • by fnj ( 64210 )

          But nobody could memorize 11 random characters, while anyone can easily memorize 4 random words. So the comparison is unfair. To be fair you have to compare 11 random characters with 11 random words, or 4 random characters with 4 random words.

    • by houghi ( 78078 )

      Great. Now I just need to remember this for 100 places, some I use once per year. Also does not solve the problem with all the different pin codes.

  • by s.petry ( 762400 ) on Tuesday August 08, 2017 @06:32PM (#54969599)

    This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time.

    Password enforcement was a constant problem 20-30 years ago, but we all had policies.

    The short duration of a password was not some arbitrary number based on "mah ego", it was based on a majority of systems which could not handle a password longer than 8 characters.

    I didn't invent the password policy, but by this claim I sure as hell could.

    Oh, and password policies are as important today as they were back then. Go ahead and claim your fingerprints [sciencefriday.com] are fool proof!

    • This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time...

      Like you, I've been doing this for a very long time now (decades).

      The average person (user) is stupid and ignorant.

      Intelligent people have known this for centuries. No one alive can take "credit" for that discovery, but it's not exactly a falsehood for the author of a NIST standard to come forth and apologize for making that assumption.

      "Oh, and password policies are as important today as they were back then."

      I've worked with the stupid and ignorant for a very long time. The ones that still refuse to back up their systems after the third hard drive failure. The ones that st

  • My work requires us to change our passwords every 90 days. I've had the same password for the last 15 years with the exception of one letter of the alphabet that goes from a to b to c... I'm on letter g right now. I've rotated through the alphabet a number of times and still get a thrill when I rotate from z back to a.

    • by 93 Escort Wagon ( 326346 ) on Tuesday August 08, 2017 @06:39PM (#54969657)

      Here is your current password: Pzssw0rd1

      (Don't worry - while you'll see your password in plain text there, all the other Slashdotters will see a string of asterisks like this: *********)

    • I could easily imagine a system that does this...
      1. Maintain the hash of the previous N passwords (say N > 5)
      2. Require all the BS rules of number of character classes, length, etc.
      3. Require that the new password have a Levenshtein distance > X from your previous password (With X being a significant fraction of the password length and it would know your previous password since you'd need to enter it to verify your identity before setting your new password).

      But frankly, it would still be weaker than s

    • At a former employer, we were required to change our passwords every 90 days. You could not define your own password, instead, only select one from a list presented to you, but....

      Each system (IBM mainframe) had its own copy of your password. You could push your password from one system to the others.

      I found that the generation of new password choices was not remotely random and that, by changing my password, pushing it out to other systems, then logging onto a remote system and going to the password change

      • Selecting from a pre-determined list of passwords sounds like a security nightmare.
        • I've seen the like. It was implemented so that managers could see the work, and the email, of their personnel.

        • I suspect that the list was pseudo-random, with using a seed that was based on the current password. Someone probably thought that if they used the current password to generate new passwords, that would ensure that the new password was different. The passwords were only 4 characters. This was decades ago.

          I am not sure that my description of the hack is entirely accurate.

    • One place I worked, for some bizarre reason we all had to set our passwords in RACF and they'd be somehow propagated from there to Windows and Unix boxes. (This was probably early to mid nineties.) It was company policy. There had to be letters and numbers and one capital letter and it had to be changed every 30 days. Yes, not 90, 30. Someone figured out that Jan1993, Feb1993, Mar1993, Apr1993 and so forth met the monthly requirements, the password rules, and never repeated.

      So we all started using that

  • Where there is weeping, and gnashing of teeth. Also they use his system of passwords, the wifi signal is always just out of reach and the coffee is made in percolators that go on forever.

  • by Traf-O-Data-Hater ( 858971 ) on Tuesday August 08, 2017 @06:37PM (#54969647)
    My pet annoyance are those sites that do not clearly state what their particular requirement is, clearly, up front. So it only tells you after you've entered something you think may be acceptable, and you've then lost that train of thought and are forced to figure out something new.
    • I'm more annoyed when sites require passwords that aren't in line with the kind of data they're holding. I don't want to have to remember a banking-safe password when I'm trying to log into a fart jokes website.

      • by sconeu ( 64226 )

        Another one along the same lines is needing to come up with a password when you don't need one.

        If I'm making a one-shot purchase from your website, there is NO F*CKING NEED FOR ME TO OPEN AN ACCOUNT!!! Why are you forcing me to create an account?

        • Those of us interested in tracking every detail of your single-purchase behaviors...then selling that info to another entity...strongly disagree that there isn't a need to force you to voluntarily register and create an account. Despite your tone indicating that you disagree with this practice, our records clearly show you clicked "I agree."

        • If I'm making a one-shot purchase from your website, there is NO F*CKING NEED FOR ME TO OPEN AN ACCOUNT!!!

          Insensitive clod! Don't you realise that people like you are destroying the internet!

      • I would be more embarrassed if somebody could prove I had an account on a fart jokes site than if they stole money from my checking account.

      • Yet more annoying is sites that prevent you from Control-V paste or middle-click paste. Come on! I want to be able to generate a 32 or 64 character gobbledygook password in KeePass and just paste it in there.

        Some sites screw it up and prevent either Control-V or middle-click, but not both. But those are rare. Seriously, web developers, it doesn't help anybody to prevent pasting into a password field.

        The worst was one financial-related site that I had to use that not only did not allow you paste into the

    • Algorithms for determining password strength are uniformly terrible, too. I once set up an account in Plesk and it rejected K"Nb\:uO` as too weak but accepted P@55w0rd without complaint.
  • by chispito ( 1870390 ) on Tuesday August 08, 2017 @06:47PM (#54969737)
    This is not a news to many sysadmins. Some of our managers even get it as well.

    None of that matters in the face of regulatory compliance.
  • by zm ( 257549 ) on Tuesday August 08, 2017 @06:49PM (#54969747) Homepage

    ...also suggested using cruise ships for population control.

  • Ladies and gentlemen, I think I've found my new password!

  • ""In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well...

    In other words, he did what a lot of us have done; assumed people were actually smart.

    He should stop apologizing; intelligent people have been doing that for centuries.

  • by markdavis ( 642305 ) on Tuesday August 08, 2017 @07:00PM (#54969837)

    I have had to fight our auditors every year for decades about stupid password ageing rules. I refused to implement them and said it would LOWER security while simultaneously pissing off users and lowering productivity. Each year I added more references to articles from people who agreed with me, just in case.

    Maybe now they will finally believe me?

  • by roc97007 ( 608802 ) on Tuesday August 08, 2017 @07:04PM (#54969877) Journal

    I strongly suspect that one way to measure how onerous the password policy is in a particular environment is to go through the office flipping up keyboards. The metric would be as a percentage of yellow stickies with passwords stuck underneath. You could weight the metric by the size of the penalty for writing down your password.

  • As it is, I have the stupid policy at work. I simply change my password from ******** to ******** and everything is good.
  • soooooo..... update the damn thing and go on the 8pm news and get the word out that those rules and the stated schedule for changing passwords are both BS and give some reasonable guidelines (like 4 random words strung together) along with having the industry standard of an exponentially longer timeout after 3 wrong guesses (or just locking the account and/or blocking the IP address (or range) the bogus attempts were coming from, depending on your need for security)... and a million other better solutions t

  • by blind biker ( 1066130 ) on Tuesday August 08, 2017 @07:57PM (#54970315) Journal

    HIs password policies suck. No wonder he changed careers. [youtube.com]

  • Increasing your character set makes it harder to run brute force attacks and even randomly guess a password, even when the increase in character count is fully known.

    Changing every 90 days was a bitch, though, agreed.

  • I managed to get the root password on a Unix system to include a backspace. Then the login program wouldn't take it.
  • The password hell is where he belongs. Always one more complex password for that ice cold drop of water.

  • 64 characters, symbols, letters, numbers, capitals and lower case. Change them at least once a month, never use the same password twice and use random generation as much as possible. If you can, you don't just use a password, use at least 2FA, if not MFA (I have servers with 4FA+ on them.
    • And how do you remember 64 characters, symbols, letters, numbers, capitals and lower case passwords?

      You have a password generation system, don't you?

    • by swilver ( 617741 )

      That's just not good enough.

      A decent system just generates your password and gives you 30 seconds to remember it. How you can trust people to think of their own 64 character password is beyond me.

  • We are all guilty of using P@assword1, P@ssword2, etc.... but I can't keep committing a complex password to memory every 90 days. So here's the deal... let the user decide. Users are free to pick simple passwords and the system will decide to make them change those passwords every 90 days. If the user picks a complex password they won't have to change it again. My bet is that the users will come up with a /great/ complex password ONCE.

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...