New thoughts about passwords and security

Archive
1

From the BBC

Password guru regrets past advice

The author of an influential guide to computer passwords says he now regrets several of the tips he gave.

Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols - so, for example, "protected" might become "pr0t3cT3d4!".

The problem, he believes, is that the theory came unstuck in practice.

Mr Burr now acknowledges that his 2003 manual was "barking up the wrong tree".

He disclosed his views in an interview with the Wall Street Journal.

[ ... ]

The rest of the BBC article is based on the Wall Street Journal article which is linked to but may not always be readable on line for free -- I'm not sure what their general policy is.

2

Email from the Australian Government (Stay Smart Online):

New guidelines for creating strong passwords

  23 August 2017 New guidelines for creating strong passwords


The US National Institute of Standards and Technology (NIST) has issued new guidelines for password security that turn accepted wisdom about creating long strings of  letters, numbers and symbols on its head.

Details

NIST, a non-regulatory federal agency within the US Department of Commerce, issued the original advice in 2003 that became the global standard for password security. But it now says the advice led people to create predictably ‘complex’ passwords in a bid to remember them, which made them more vulnerable to hackers.

A former ­­­employee who has since retired said there just wasn’t enough real-word data available at the time.

Staying safe

Key changes in NIST’s new digital identity guidelines include:

  • Don’t arbitrarily mix letters, numbers and symbols to make a password. Instead, create passwords that are more memorable.
  • Single dictionary words, the user’s street address or numeric sequences such as 1234567 should be banned.
  • Organisations should screen the strength of their passwords against those used in cybercriminal dictionary attacks; a method of breaking into a password-protected computer or server by systematically entering every word in a dictionary as a password.
  • Stop frequently changing passwords, for example each month, as it leads to poor passwords being created.