We’ve all been through this: Register for an online service and create a password, only to be told that the password is not valid. There are common rules which include «no longer than 8 characters», «must contain at least one capital letter and one number», etc. Some sites have very long lists of requirements, making it very frustrating for the user to create their password.
If you think these password guidelines are absurd, then good news: You’re not alone. The man who created them, William E Burr, also thinks that.
Burr, a former manager at the National Institute of Standards and Technology (NIST), was the person who first received the task to make the rules on how passwords should be created for all online services. While he is literally the guy who wrote the book on how to make passwords, he is also very aware today that these guidelines are a hindrance that in fact, don’t make your password more secure.
I spoke with him briefly and started by asking him what feedback he received from his staff back in 2003 when he shared the first draft of his password-creation protocol:
“I got a good bit of feedback, much of it fairly technical” Burr says. “One comment suggested that I was focusing on average password entropy, when I should be thinking about minimum password entropy. Others thought that it was hard to justify the entropy estimates that I gave, which has been a persistent criticism of NIST Recommendation Special Publication 800-63 Appendix A»
The Publication Burr refers to, is a large and detailed document containing all the rules and guidelines as to how passwords should be created. Burr continues:
«But Appendix A and passwords in general were maybe 2% of the overall document which covered many topics like identity proofing and registration, security protocol requirements, a general structure for multi-factor authentication, and so on.»
Multi-Factor Authentication refers to a security system that only grants the user access after they submit more than one type of credential (e.g. requesting your password and your home address)
The problem is that, back when Burr was given the responsibility to mandate how passwords should be created, there was very little knowledge as to what makes a password safe. For example, it was erroneously believed that the more «odd» characters a password contains, the safer it is. Replacing a word, like “Champion” for “Ch4mp10n” is actually fairly easy for a computer program or hacker to decode. Instead, it’s been proven that long passwords using random words, without any strange characters, are much easier for a human being to remember, and much harder for a computer or hacker to decode: “strange_banana_arriving_via_telephone”.
But not everything is bad news: The NIST has recently released a new publication, undoing a lot of these guidelines. The document is very long and thorough, but basically advocates for a more user-friendly password creation system, undoing a lot of these unnecessary rules, such as limiting the password to eight characters, or forcing you to use only a limited list of characters. The new rules will basically favor the user, allowing them to have more freedom in how they want to design their password.
While Burr had already retired, he did assist the staff prior to publishing the new document. «I participated in this as a consultant, and think that the new password appendix (NIST Special Publication 800-63B, Appendix A – Strength of Memorized Secrets) is a considerable improvement on the one I originally wrote.»
Online security is a complicated issue and it’s safe to expect that these security systems will continue to evolve. But all flaws aside, it’s good to know that the people in charge of internet security, follow a scientific approach of willingness to reject any method if new evidence proves there’s a better way. “I wish I had this research result in 2003, but I didn’t.» Burr concludes. «However I’m a good enough engineer to change my mind when confronted with better data and arguments. Data rules.»