Article posted: Aug 30, 2017
By Marcus Hartwig, GM Americas
When I saw this headline in the Wall Street Journal recently, "T3rr1bl3 @dv1c3," I couldn't resist reading the article and sharing the regrets of one of the pioneers of secure passwords.
The article includes an interview with Bill Burr, a former manager at the National Institute of Standards and Technology (NIST), discussing how he'd come up with recommendations for secure passwords some 13 years ago. At the time, he says, he was tasked with providing recommendations on the best ways to keep passwords secure for a NIST special publication (800-63, Appendix A). He didn't have much time, so he invented his own rules, he says, putting together an 8-page guide.
In the article's most memorable quote, Burr says, "Much of what I did I now regret." Thus the "T3rr1bl3 @dv1c3" headline.
Burr's recommendation was that stronger, more secure passwords were possible by adding in symbols, numbers, and mixing upper- and lower-case letters. And, he noted, passwords should be changed every three months. Sounds like sage advice. In fact, most of us today follow these rules (although, in our experience it's rare that people change their passwords regularly unless their system mandates them to do so).
The problem with this method is that in many cases, the passwords become more predictable and far less creative, such as "P@ssword123," which is actually very easy for hackers to break, since most users use the same substitutions - a becomes @, i becomes 1, e becomes 3, etc. Most users also follow the same general rule using a capital letter in the start, and any numbers and special characters in the end.
Now, NIST has updated the rules Burr originally created. Rather than the gobbledygook of jumbled letters and symbols, NIST today recommends using long passwords that contain an easily remembered phrase. Maybe something like, "MyfavoritevacationspotisOrvieto" or "MrPawsisthebestcatintheWorld." You get the idea.
So, while we appreciate the early efforts of Mr. Burr, our hats are off to NIST. These new guidelines, found here, make a lot more sense. Users will applaud the new rules. While the new guidelines make a positive impact on password security, nothing beats the proven security of two-factor authentication in keeping data secure- which is also outlined in the new recommendations.
Be sure to reach out to our Versasec team to learn more about implementing multi-factor authentication and managing the process by clicking here and clicking on the "Open Chat" button.