Skip to content
Naked Security Naked Security

Why NIST’s Bill Burr shouldn’t regret his 2003 password advice

We've learned a lot about passwords since 2003 - not least that you need more than even the best-crafted password to keep data safe

Back in 2003, an engineer called Bill Burr wrote the official guidance on password security for the US National Institute of Standards and Technology (NIST), since widely referenced as the last word on the subject for government departments, large organisations and, latterly, consumers.

Fourteen years on, and a year after NIST overhauled the document from scratch, Burr has told the Wall Streel Journal he regrets flaws in his advice, an unusual and brave admission for any professional to make.

Burr sums up his 2003 approach:

It just drives people bananas and they don’t pick good passwords no matter what you do.

We think Burr is being hard on himself, but let’s do him the courtesy of outlining what he thinks was wrong with the influential but oft-mangled eight-page NIST Special Publication 800-63, appendix A.

At its core was the simple orthodoxy that users should choose alphanumeric passwords sprinkled with capitals and special characters. These should be changed regularly.

The first part of this advice forms the basis of almost every password policy in existence, along with a requirement that passwords be at least X (usually now eight) characters long.

This wasn’t bad advice back in 2003 given that many users chose comedy passwords such as “password123”. Applying NIST’s rules, they could change that to the 12-character “P@ssW0rd123!” and congratulate themselves on how easily they had boosted their security.

Except, we now know, they hadn’t, for reasons that are reminiscent of what economists call the tragedy of the commons. To simplify, this states that what appears a good idea for an individual stops being so if everyone does the same thing.

If one person chooses a “P@ssW0rd123!”, in theory it’s secure. But when lots of people use a similar pattern, attackers have something predictable to aim at.

Realising that imposing generic password rules makes people gravitate towards common patterns, NIST now recommends that people focus more on length while checking existing passwords against a dictionary of known bad (ie, common, guessable) combinations.

The second part of Burr’s advice – changing passwords regularly – probably became one of the biggest banes of professional IT because it generated work and often wasn’t effective when people made only minor tweaks. The advice today is to change passwords only when necessary (such as after a breach), which is good news for the vast number of people who’ve never bothered anyway.

Burr and NIST were still right to offer some advice because the alternative of offering no or heavily qualified advice wouldn’t have saved the world from bad passwords. Indeed, large numbers of users still ignore even the baseline of Burr’s 2003 rules and use hopeless passwords where they are allowed to – any number of bad passwords revealed in data breaches tells us this.

A fundamental challenge is that what constitutes a secure password changes over time as attackers up the ante. There’s also a need to balance usability. Make a password too easy (short, predictable) and attackers will uncover it, but make it too hard (long, complex) and users will take shortcuts.

What, then, has really changed for password security between 2003 and now?

Ironically, it’s the realisation that passwords, no matter how well crafted, are no longer enough on their own. A single phishing attack can grab even the best password as can the breaching of a poorly secured database. Even the best get re-used over and over.

The world still uses passwords but increasingly supplements them with systems of authentication and identity that take decisions out of users’ hands, something that is at the heart of NIST’s revised guidelines.

Anyone who still wants some password-crafting advice without ploughing through NIST’s document might start with how to pick a proper password or Naked Security’s busting password myths podcast but only after reading how difficult it is to craft a password that can withstand even 100 guesses.


8 Comments

While I tend to agree that frequent password changes do not significantly enhance security, I must challenge the phrase “…only when necessary (such as after a breach)”. As we have seen repeatedly in recent months, breaches often go undetected for long periods of time, even several years. That being the case, how do we know when a change is necessary?

Ideally…frequent access audits should reveal unauthorized use of “still-good” credentials, but devoting resources to that level of granularity isn’t often in the I.T. budget. It also requires the authorized users to painstakingly document their every move. Since neither of these practices is directly billable to a client, it’s rarely done.

I don’t think it’s wrong to change your password just because you feel like it – the problem I have (and we’ve argued this several times on Naked Security) is with an ecosystem where you have a policy that requires changes that are regular and frequent, no matter what.

You can see how that ends up with password-01, -02, -03 and so on…

Good point, but changing your password every 90 days just means that the bad actors can still abuse your account for (at most) 90 days. Unless, of course, they figure out that you next password after “g!rlfriend12” will be “g!rlfriend13”.

Current advice is to change the password every minute or every 30 seconds (ideally, the password changes itself without user intervention), and that a password may be used only once (so you, and possibly a bad actor, cannot re-login within 1 minute or 30 seconds, and after that time the password will be changed).

Okay, bad actors aren’t dumb, and we now see an increasing number of attempts to access smartphones where a password generator (“token”) runs. Of course, the “token” is ideally protected with a “password” (a six or eight digit PIN)…

To be more precise, those changed-every-30-second one-time access codes should be a *second* factor of security in additional to any conventional password you have.

“which is good news for the vast number of people who’ve never bothered anyway”

…albeit for the wrong reason. :-)

I like that he admitted that but want to slap him for ever creating it! It seems everything now requires the uppercase, character, number, symbol and because if this I am constantly wasting time resetting passwords. It’s the most annoying thing and I wish his admission would get all these companies and services to revise.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?