eDiscovery Daily Blog

Retired NIST Expert Says His Advice on Creating Passwords was Wrong: Cybersecurity Best Practices

If you’re a person who takes password security seriously and followed advice to create passwords that use a combination of lower and upper case letters, numbers and special characters to foil hackers, good for you.  Unfortunately, that advice was wrong, according to the National Institute of Standards and Technology (NIST) and the retired expert who authored that advice in the first place.

According to The Wall Street Journal (The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!, written by Robert McMillan), the author of an 8-page primer written in 2003 which advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers – and to change them regularly – has admitted the advice was largely incorrect.

Back in 2003, as a midlevel manager at NIST, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.”  The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The problem is the advice ended up largely incorrect, Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he lamented. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.  The advice that demanded a letter, number, uppercase letter and special character – such as an exclamation point or question mark was also wrong.  Years of research has shown that these measures actually don’t do that much to foil hackers.

“Much of what I did I now regret,” said Burr, 72 years old, who is now retired.

In June, Special Publication 800-63 got a thorough rewrite, led by Paul Grassi, an NIST standards-and-technology adviser, which resulted in removal of several of these password commandments.  The new guidelines, which are already filtering through to the wider world, drop the password-expiration advice and the requirement for special characters, Grassi said. Those rules did little for security—they “actually had a negative impact on usability,” he said.

NIST’s newly updated guide instead encourages a long, easy-to-remember string of words instead.  In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word whereas the password Tr0ub4dor&3 (a typical example of a password using Burr’s old rules) could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

With data accumulated over the last decade or so (which wasn’t available to Burr back then), experts have concluded that the password recommendations from 2003 don’t work because we tend to gravitate toward the same old combinations over and over.  With that in mind, Grassi thinks his former colleague Burr is being a little bit hard on himself over his 2003 advice.

“He wrote a security document that held up for 10 to 15 years,” Grassi said. “I only hope to be able to have a document hold up that long.”

So, what do you think?  Do you use 2003 recommendations to create your passwords?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.