20.5k unique visitors in the last 3 days

Why Password Advice Has Been Terrible

If you only think about maths and algorithms you may ignore the ways that human behavior will undermine them.

In 2003, Bill Burr told the world that people should use capital letters, numbers and obscure symbols in their passwords. Unfortunately, the world listened to Bill, mostly because he worked for the USA’s National Institute of Standards and Technology (NIST) and wrote NIST Special Publication 800-63 Appendix A, a guide which said people should create complex passwords. Bill Burr now admits his password advice was wrong.

Bill was wrong because passwords that look much more complex to human beings are only a little more complex for the machines designed to crack passwords. On the other hand, people need to remember passwords, and they keep being asked to remember more and more passwords, so they will use short cuts to make their passwords more memorable. This is an example of a short cut which uses symbols and numbers and capital letters: Pa$$w0rd. It may meet the complexity rules imposed on a user, but it is not a good password. Another way to reduce the burden when remembering passwords is to use the same password for lots of different accounts; if one gets hacked, they all get compromised. People might address the cognitive load of being forced to regularly change their passwords by adding a number to the end of their password: Password1, Password2, Password3 etc. That means enforced changes will lead people to choose simpler passwords than they might have adopted otherwise. Ultimately it is very hard to remember a password like 5%gh4pW*1X whilst it is much easier to remember a password like janetisnotfromthailandandilikebluejellybeans. However, the second password is also less likely to be cracked, despite the fact it only uses lower-case letters. That is because it is so much longer than the first one.

What looks like good security from a technological perspective will actually be poor security if it does not take account of how human beings actually behave. And that is why password advice has been terrible, and why so much security advice continues to be terrible. You might think human beings should change, in order to protect themselves and others from harm. But they are not going to change, even if you want them to. So the advice given to human beings needs to be revised to reflect what people might realistically be expected to do in practice. And that is what happened to NIST Special Publication 800-63 which has recently been re-written.

Eric Priezkalns
Eric Priezkalnshttp://revenueprotect.com

During his career, Eric has been a Director of Risk Management for a national telco, the Chief Executive of the Risk & Assurance Group, a Chief Marketing Officer for a software business, a consultant, a public speaker and the publisher of Commsrisk since its launch in 2006. Look here for more about the history of Commsrisk and the role played by Eric.

The comms providers that Eric has worked for include Qatar Telecom, Cable & Wireless, T‑Mobile, Sky and Worldcom. In addition to his proficiency at speaking about the current scamdemic, Eric is also a qualified chartered accountant and a subject matter expert in consumer protection, enterprise risk management, fraud prevention, data integrity and billing accuracy. Eric was the lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He can be reached through the contact form on this website.

Related Articles

1 COMMENT

Comments are closed.

The Commsrisk Global Fraud Dashboard


Our Global Fraud Dashboard uses AI-powered search to collate, update and visualize data about scams and other network abuses from around the world. New charts are added each month. See it here.

Get Our Weekly Newsletter by Email