New submitter cdreimer writes: According to a report in The Wall Street Journal (Warning: source may be paywalled, alternative source), the author behind the U.S. government's password requirements regrets wasting our time on changing passwords so often. From the report: "The man who wrote the book on password management has a confession to make: He blew it. Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of 'NIST Special Publication 800-63. Appendix A.' The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers -- and to change them regularly. The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow. The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay. Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark -- a finger-twisting requirement." "Much of what I did I now regret," Bill Burr told The Wall Street Journal. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."
"I was wrong" is one of the most powerful things you can say. Many find it very difficult, but it becomes easier with practice. The people who would have the largest positive impact on the world by saying this are politicians, but sadly they are also among the least likely to be able to say it.
Oh, hell, I'm wrong several times every day. Just like nearly 100% of the human population. I do often marvel, though, at how rare it is to hear someone face up to it.
Finding out that you're wrong is a moment to celebrate, not something to be embarrassed by. It marks a moment when you've become just a little less ignorant about something.
As the old saying goes, I've never learned anything from being right.
I am not really disagreeing with you, but I do not think he was wrong. I mean, he is wrong *now*, but he was not wrong for 2003. Password security was atrocious in the late 90s.
Perhaps Bill Burr's password rules were more of an over-correction due to the piss-poor password management of the era.
LONG PASSWORDS.
The exponent of the equation (alphabet_size)^(length of password) matters MUCH more than the mantissa.
Put another character on the end of an alphanumeric password and you're doing more than selecting even the weirdest of keyboard-typeable symbols.
And the change-your-password-every-X-days was always junk and just provide a route for social engineering of the password reset process on a pre-determined schedule. If your password hasn't been compromised in a reasonable time, it's not going to be
Those who require passwords really ought to take a look at it.
https://xkcd.com/936/ [xkcd.com]
This egomaniac isn't responsible, password rules meeting or exceeding his claim go back at least two decades for Commercial companies, and longer for "Government" (especially DOD). I have a policy from 1995 that I wrote for the company I worked for at the time.
Password enforcement was a constant problem 20-30 years ago, but we all had policies.
The short duration of a password was not some arbitrary number based on "mah ego", it was based on a majority of systems which could not handle a password longer tha
My work requires us to change our passwords every 90 days. I've had the same password for the last 15 years with the exception of one letter of the alphabet that goes from a to b to c... I'm on letter g right now. I've rotated through the alphabet a number of times and still get a thrill when I rotate from z back to a.