Man who came up with the safe password rules admits he was Wrong

Discussion in 'PC Performance, Security, and Tips' started by Bliss, Aug 10, 2017.

  1. Bliss

    Bliss Well-Known Member

    Now says his guidelines about using numbers, symbols and capital letters have made computers easier to hack

    [​IMG]

    We've all chosen complicated and difficult-to-remember passwords in the hope of boosting security.

    But the man who came up with the rules on these 'safe' passwords more than a decade ago has admitted that his advice was wrong.

    Bill Burr's 'bible' on password security was written in 2003 while he worked for the US Government.

    His guidance was to change passwords often, use numbers, include non-alphabetic symbols and try capital letters.

    He says he now 'regrets' his advice as passwords that use these guidelines are often easier to hack.

    Mr Burr, author of 'NIST Special Publication 800-63. Appendix A', told Wall Street Journal that much of his advice in the book was incorrect.

    'Much of what I did I now regret,' said Mr Burr, who advised people to change their password every 90 days and use obscure characters.

    'It just drives people bananas and they don't pick good passwords no matter what you do,' he said.

    His advice is responsible for bizarre password combinations such as su55ess1 and d0lla3s.

    But rather than improving security, the combinations made computers less secure, since users would end up using the same password repeatedly, or writing them down on notes to remember.

    The reason changing a password frequently does not help is because when most people make minor tweaks such as replacing the number 1 with a number 2.

    These are called 'transformations' and hackers are very aware of them and build them into their scripts.

    The use of random numbers in the middle of passwords also doesn't help.

    Hackers can also use 'brute force' cyber attacks in which a computer cycles through every possible combination of characters to guess a password

    Experts now believe long passwords that contain perhaps four words are much harder to break than shorter ones with a mix of letters, characters and numbers.

    Cartoonist Randall Munroe found it would take 550 years to crack 'correcthorsebatterystaple' where as the password 'Tr0ub4dor&3' - which was previously considered strong by Mr Burr's calculations - could be hacked in three days.

    'Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess', he wrote on his website.

    Paul Grassi, an NIST standards-and-technology adviser has re-written the rules guidelines on how to create a safe password.

    'We ended up starting from scratch,' Mr. Grassi said, after finding that most of the previous rules 'actually had a negative impact on usability'.

    He now advises that people use long but easy-to-remember 'passphrases', that do not need to feature special characters or numbers

    Issues surrounding password strength are becoming increasingly pressing with the growth of hacking activity and large data breaches.

    Yesterday more than 306 million previously hacked passwords were released by a data expert in an attempt to help people ramp up their online security.

    Anyone can check to see if their personal information could have been compromised using the new 'Have I Been Pwned' website.

    Pwned is a play on the word 'owned', which is informally used to refer to making a fool out of someone, or taking advantage of them.

    Security expert Troy Hunt, who is based in the Gold Coast in Australia, released the tool for searching if your password is among those hacked passwords that need changing.

    The full list can be read in a 5.3GB download - or users can test our their passwords on this link.

    Mr Hunt compiled the list from dozens of data breaches.

    'My hope is that an easily accessible online service like this also partially addresses the age-old request I've had to provide email address and password pairs', he wrote in his blog.

    'If the password alone comes back with a hit on this service, that's a very good reason to no longer use it regardless of whose account it originally appeared against'.

    'As well people checking passwords they themselves may have used, I'm envisaging more tech-savvy people using this service to demonstrate a point to friends, relatives and co-workers: 'you see, this password has been breached before, don't use it!'


    --------------------
    MOST COMMON PASSWORDS OF 2017

    123456

    123456789

    qwerty

    12345678

    111111

    1234567890

    1234567

    password

    123123

    987654321



    GOOD PASSWORDS
    Experts now believe long passwords that contain perhaps four words are much harder to break than shorter ones with a mix of letters, characters and numbers.

    Long pass phrases work better because they are really long and still easy to remember.

    Although people might think their choice of password is original people usually end up using the same combinations time and again - things like Pa$w0rd or Monkey1!.

    The reason changing a password frequently does not help is because when most people change their password they make minor tweaks such as replacing the number 1 with a number 2.

    These small changes are called 'transformations' and hackers are very aware of them and build them into their scripts.

    The new advice is to use long but easy-to-remember 'passphrases', that do not need to feature special characters or numbers.

    https://haveibeenpwned.com
     
    • Like Like x 1
    • Informative Informative x 1
    • List

Share This Page