Welcome, Guest. Please login or register.

Author Topic: Password guru regrets past advice  (Read 121 times)

0 Members and 1 Guest are viewing this topic.

Offline 1bit

  • STAFF - Technical Expert
  • Must be an Admin?
  • ********
  • Posts: 8366
  • Gender: Male
    • Tech Forum
Password guru regrets past advice
« on: 09 August 2017, 14:20:46 »
Advertisement
Quote

THE DUDE WHO THE National Institute of Standards and Technology (NIST) thought should write what should become de facto password rules has apologised for his efforts, some 14 years later and countless password hacks down the line.

Bill Burr, a former manager at the National Institute of Standards and Technology (NIST), put the rules together in 2003. From the sounds of an interview in the Wall Street Journal, they were just dumped in his lap. Whatever, a decade and a half later Burr has something to add, and it is an apology.

Burr is sorry for making password selection too much of a tricky task: "Much of what I did, I regret," he said.

What he did was create page turning document the "NIST Special Publication 800-63. Appendix A", and made up those rules that say you need a password made up of capital and lowercase letters, numbers and characters and that you ought to change it about once every quarter year.

Burr bared his heart in the Wall Street Journal,  telling the paper that the rules were cribbed from documents from the 1980s and are perhaps unnecessarily complicated.

"In the end, [the advice] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree." It is not terrible advice of course, it's not exactly your football team or you date of birth, but it does leave users open to some password abuse and potentially easy cracking.

The NIST has torn up that old rule book and will come up with a new one soon, and it should make for a very interesting read and save the ‘Password' posse from future penetration. This one has been written by NIST technical advisor Paul Grassi, and should hopefully and assumingly recommend slightly more inventive and prophylactic password picking. µ

https://www.theinquirer.net/inquirer/news/3015358/the-dude-who-wrote-the-book-on-passwords-has-apologised
PlusNet VDSL Fibre 40/2
BT HomeHub 5B (Broadcom 63168) <---> ECI Dslam (Lantiq M41a)

Offline 1bit

  • STAFF - Technical Expert
  • Must be an Admin?
  • ********
  • Posts: 8366
  • Gender: Male
    • Tech Forum
Re: Password guru regrets past advice
« Reply #1 on: 09 August 2017, 14:54:51 »
thats why i use the "horse-staple-battery" technique (needs a better name) -passwords are about entropy, but its easier to remember two to four words than it is of say 8 random digits of upper/lower case & characters+numbers

passwords that are 8 characters or less are hackable within hours (regardless of how many characters it has) hence it needs to be longer to be secure

e.g.

alphabetacharlie = 16 characters
Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)
Entropy: 58 bits
52,000 years to hack


but if you remember that the first letter of each word is upper case

AlphaBetaCharlie
Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records.
Entropy: 70.4 bits
2 Billion years to hack


of course its easy to remember.. ABC...  thats all you would need to remember, from that you would recall AlphaBetaCharlie

you could make it even more secure by adding more and/or random words or add in characters and/or numbers if you can...but then you start to head towards exactly what you trying to avoid (hard to remember passwords)

PLEASE NOTE THE ABOVE IS AN EXAMPLE: IM PRETTY SURE ALL PASSWORD HACKING TOOLS WILL HAVE THE NATO PHONETIC ALPHABET IN ITS "DICTIONARY" AND OTHER PRE-'BRUTE-FORCE' GUESS/ATTEMPT MODULES IN THEM
PlusNet VDSL Fibre 40/2
BT HomeHub 5B (Broadcom 63168) <---> ECI Dslam (Lantiq M41a)

 

Powered by EzPortal
anything