Current Events > Man responsible for annoying pw requirements regrets it

(+) Yeah! (+)

https://www.digitaltrends.com/computing/strong-password-system-getting-a-facelift/

The man responsible for your requirement to use a combination of lower-case letters, upper-case letters, numbers, and symbols in passwords at least eight characters long is now regretting his advice. Former National Institute of Standards and Technology manager Bill Burr recently admitted in an interview with The Wall Street Journal that his 2003 document about crafting strong passwords and changing them every 90 days was somewhat off the mark.

At the time, he said that users will choose an easily remembered, easily guessed password, and likely one stemming from a batch of a few thousand commonly chosen passwords. In turn, hackers trying to gain access to user accounts, computers, and so on would try the most likely chosen passwords first. But even though services would reject specific passwords given their common use, Burr suggested a more secure alternative.

On page 52 of the 2003 document, he clearly states that systems should rely on a password of eight characters or more that are selected from an alphabet of 94 printable characters. This password should also include at least one upper case letter, one lower case letter, one number, and one special character. Systems should even rely on a dictionary that prevents users from including familiar words and using their login name as the password too.

The problem with this method is that users tend to have patterns when creating a password. For instance, they may take a familiar word, such as password, and alter it slightly to meet the requirements. The result could be something like P@zzwurd2017, which isnt all that original, and something we conjured up in a matter of seconds.

Right now, systems give users a thumbs-up when they follow the current standard and even provide a visual measurement tool indicating the passwords strength against hacking. But then users are requested/forced to change their password every 90 days, thus they may use the same base word, but alter the character usage to please the update process (such as P@ssw0rd2K17).

When the guidelines were created in 2003, they were not based on collected data. System administrators would not cough up any passwords for examination, thus Burr turned to a whitepaper published in the 1980s long before the general American population purchased a modem and jumped onto the world wide web using Netscape or America Online.

Fast forward to 2017, and the National Institute of Standards and Technology provides new guidelines for systems to follow. Authored by technical adviser Paul Grassi, it tosses out much of what Burr established years ago. But Grazzi admits that Burrs system lasted for 14 years, and hopes that his revised password ruleset lasts just as long. He suggests that systems remove the 90-day password refresh and the requirement for special characters.

Article is from 2017 but still relevant since you most likely still use his standard.

darkphoenix181 posted...

Bill Burr

---

Couldn't hack it in computer science and is now a comedian

---

Hate having to change my password so often. Just let me keep my old one and trust it's secure enough.
---

Umbreon posted...

Hate having to change my password so often. Just let me keep my old one and trust it's secure enough.

Thanks Bill Burr.

All this led to, was easily hacking someone's computer by just turning the keyboard over and reading the post-it stuck to the bottom.

I remember when IT Security at work forced us to change from "passwords" to "passphrases" and doubled the minimum character requirement from minimum 8 to minimum 16.

I literally just duplicated my old password.
---

Questionmarktarius posted...

All this led to, was easily hacking someone's computer by just turning the keyboard over and reading the post-it stuck to the bottom.

Lol, yep.

Or notepad on pc having all the passwords.

Questionmarktarius posted...

All this led to, was easily hacking someone's computer by just turning the keyboard over and reading the post-it stuck to the bottom.

Pfft, we got people who just tape the password to the bottom of their screen.....
---

The man responsible for your requirement to use a combination of lower-case letters, upper-case letters, numbers, and symbols in passwords at least eight characters long is now regretting his advice.

For anyone who works in an office with lots of logins for a lot of software and systems, this man is the devil. At least he admits his evil ways but the damage is done.

I hate whoever invented the "security question" even more.

As if I can remember my address from like 12 years ago.
---

...that guy!
nothing like changing passwords every so often due to policy AND doing 2 step verification process to log in.

for all i know 1 breach compromises everything and everyone. dont be that guy


---

Pukelid posted...

darkphoenix181 posted...

Bill Burr

Change ya fuckin passwords!
---

Trigg3rH4ppy posted...

Pukelid posted...

darkphoenix181 posted...

Bill Burr

Change ya fuckin passwords!

"Have you ever seen the passwords women come up with?"

Pukelid posted...

darkphoenix181 posted...

Bill Burr

Lol
---

Pukelid posted...

darkphoenix181 posted...

Bill Burr

Wow so now the alt-right even hates computers? smh
---

Rumor has it he said "Dohhh jeezus" when discussing this.
---