In 2003, Bill Burr told the world that people should use capital letters, numbers and obscure symbols in their passwords. Unfortunately, the world listened to Bill, mostly because he worked for the USA’s National Institute of Standards and Technology (NIST) and wrote NIST Special Publication 800-63 Appendix A, a guide which said people should create complex passwords. Bill Burr now admits his password advice was wrong.
Bill was wrong because passwords that look much more complex to human beings are only a little more complex for the machines designed to crack passwords. On the other hand, people need to remember passwords, and they keep being asked to remember more and more passwords, so they will use short cuts to make their passwords more memorable. This is an example of a short cut which uses symbols and numbers and capital letters:
Pa$$w0rd. It may meet the complexity rules imposed on a user, but it is not a good password. Another way to reduce the burden when remembering passwords is to use the same password for lots of different accounts; if one gets hacked, they all get compromised. People might address the cognitive load of being forced to regularly change their passwords by adding a number to the end of their password:
Password3 etc. That means enforced changes will lead people to choose simpler passwords than they might have adopted otherwise. Ultimately it is very hard to remember a password like
5%gh4pW*1X whilst it is much easier to remember a password like
janetisnotfromthailandandilikebluejellybeans. However, the second password is also less likely to be cracked, despite the fact it only uses lower-case letters. That is because it is so much longer than the first one.
What looks like good security from a technological perspective will actually be poor security if it does not take account of how human beings actually behave. And that is why password advice has been terrible, and why so much security advice continues to be terrible. You might think human beings should change, in order to protect themselves and others from harm. But they are not going to change, even if you want them to. So the advice given to human beings needs to be revised to reflect what people might realistically be expected to do in practice. And that is what happened to NIST Special Publication 800-63 which has recently been re-written.