Why Password Advice Has Been Terrible

In 2003, Bill Burr told the world that people should use capital letters, numbers and obscure symbols in their passwords. Unfortunately, the world listened to Bill, mostly because he worked for the USA’s National Institute of Standards and Technology (NIST) and wrote NIST Special Publication 800-63 Appendix A, a guide which said people should create complex passwords. Bill Burr now admits his password advice was wrong.

Bill was wrong because passwords that look much more complex to human beings are only a little more complex for the machines designed to crack passwords. On the other hand, people need to remember passwords, and they keep being asked to remember more and more passwords, so they will use short cuts to make their passwords more memorable. This is an example of a short cut which uses symbols and numbers and capital letters: Pa$$w0rd. It may meet the complexity rules imposed on a user, but it is not a good password. Another way to reduce the burden when remembering passwords is to use the same password for lots of different accounts; if one gets hacked, they all get compromised. People might address the cognitive load of being forced to regularly change their passwords by adding a number to the end of their password: Password1, Password2, Password3 etc. That means enforced changes will lead people to choose simpler passwords than they might have adopted otherwise. Ultimately it is very hard to remember a password like 5%gh4pW*1X whilst it is much easier to remember a password like janetisnotfromthailandandilikebluejellybeans. However, the second password is also less likely to be cracked, despite the fact it only uses lower-case letters. That is because it is so much longer than the first one.

What looks like good security from a technological perspective will actually be poor security if it does not take account of how human beings actually behave. And that is why password advice has been terrible, and why so much security advice continues to be terrible. You might think human beings should change, in order to protect themselves and others from harm. But they are not going to change, even if you want them to. So the advice given to human beings needs to be revised to reflect what people might realistically be expected to do in practice. And that is what happened to NIST Special Publication 800-63 which has recently been re-written.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.