Man who wrote password rules regrets them
Guru who urged us to use mixture of numbers, capitals, now says none of that worked
The man who gave us all those complicated password guidelines to keep our online footprints safe now says he was wrong — about pretty much everything.
Fourteen years after writing a National Institute of Standards and Technology report on building passwords with irregular capitalization and a mix of numbers, letters and special characters, the organization’s former manager, Bill Burr, said he inadvertently led internet users to predictable, lazy practices.
“Much of what I did I now regret,” Burr, now 72 and retired, told the Wall Street Journal.
Instead of making passwords more difficult to crack, Burr’s advice gave hackers insight into the kinds of numbers and characters people use to spell out predictable words. Worse yet, Burr advised users to regularly change their passwords (approximately every 90 days), walking them down an even more dangerous path.
Geneviève Lajeunesse runs Crypto-Québec to help people and companies protect against hacking. She says Burr’s theories crumbled in practice when users found “one recipe that works” and used it over and over, making easy-to-remember alterations such as adding “123” to the end of passwords.
“We’ve all done this,” she said. “If you’re doing it because nothing has happened, but because you’re forced to, of course you’ll be more likely to pick something that you increment and change minimally from one you’ve already memorized.”
Nowadays, a password is only as strong as its user is informed, according to Lajeunesse. They don’t need changing, as long as they haven’t been compromised. Users need to keep up-to-date on breaches. She says most people don’t even know their Yahoo! and MySpace accounts have been hacked and can’t list all the accounts they have online.
“They’ll create an account to play in the hockey pool in 2004 and then you forget about it,” she said. “But these accounts still exist and people are predictable, people will reuse the same password.”
If your email address was among those leaked, Lajeunesse says it is “absolutely certain” that groups of hackers now have your username and password.
And it’s difficult for policy-makers to adequately adjust. Lex Gill, who studies encryption policy with the Citizen Lab, says technology moves so much faster than the law that aca- demics are now self-publishing rather than going through a too-slow academic vetting process.
Toronto-based wristband authenticator firm Nymi is among those trying to take the industry away from passwords towards devices that know you and act on your behalf. Nymi uses a person’s cardiac rhythm as their Bluetooth cardiogram-fingerprint to remove the burden of a password or key card.
“The problem today really becomes one of scale,” Nymi executive Karl Martin said.
“If you only had one account you had to worry about, then maybe it’s not that big a deal, but people are being asked to remember passwords for multiple accounts that for security purposes should be different for each one. How many times a day do you have to prove who you are?”
There are other options, too. Lajeunesse recommends using a second form of authentication. There are phone apps and button-activated USB keys that can offer a second layer of security. She also recommends having a different password for work and play. Password managers now offer cryptographically secure passwords, but the software must be consistently updated and guarded by an extremely secure master password to avoid significant breaches.
“Everything can be hacked, but make yourself less attractive,” she said. “If a hacker’s going through a list of accounts he can compromise and he has your password and it asks for a pin, he’ll go to another account.”
Still, there are no sure things, raising more questions than answers for internet users.
“Do you ever say, ‘Oh, this password isn’t important?,’ ” Lajeunesse asked. “I don’t think there’s such a thing as a password that isn’t important.”