Complicated Passwords are C***

We're probably all familiar with the advice about what makes a strong password, but the man who first suggested combining numbers and letters and adding special characters to our passwords now thinks a lot of his original advice was misguided.

David Neil wrote this piece in 2017 about Bill Burr who was working for the National Institute of Standards and Technology (NIST), part of the US government, when he wrote his original guidelines back in 2003. With the backing of NIST, they were widely adopted by other agencies and IT managers.

But telling people to come up with multiple, complicated passwords for every account has backfired, Burr says, because many of us now just use the same password for everything we log into – and that makes us more vulnerable to hackers, not less.

"Much of what I did I now regret," Burr, who is now retired, told Robert McMillan at the Wall Street Journal. "In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

Burr originally recommended mixing upper and lower case characters with numbers and special characters to make passwords harder to crack, and technically speaking that's sound advice – running through 52 or 78 possibilities for each character takes longer for a hacker than running through 26.

There are two problems with it though: first, people have tended to follow the same patterns (like replacing "S" with "5"), making it easier to predict passwords. Second, users have struggled to remember all these complicated combinations, instead falling back on using the same passwords for every account.

Burr also recommended people change their passwords regularly. Again, while this is a good idea in principle, it's led to people just changing one letter or number each time, making them vulnerable to clever hackers.

As the headline xkcd comic image puts it: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."

"The more often you ask someone to change their password, the weaker the passwords they typically choose," Alan Woodward, from the University of Surrey in the UK, told the BBC. "And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems."

Check out these sites from Troy Hunt an Australian security researcher and the man behind Have I Been Pwned to see if your email address or password have been compromised.

So, what should we be doing instead? 

You could take the new advice from Burr, xkcd comics creator Randall Munroe, and other experts, and pick a long phrase only you can remember but which would take a huge amount of time for a computer to crunch through.

Something like "dodgebadgebigpanda" would do nicely. Don't use that, though, obviously.

To take the creativity away from the human, you could transition your IAM solution to adopt more advanced device and biometric authentication methods, ensuring that they all use and enforce multi-factor authentication policies.

Technical advisor Paul Grassi, who wrote up the latest NIST guidelines, says Burr shouldn't feel too bad about regretting his advice in hindsight. "He wrote a security document that held up for 10 to 15 years," Grassi told the WSJ. "I only hope to be able to have a document hold up that long."