Password security guru admits his advice makes people more vulnerable to hackers

By on
File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013. Security experts warn there is little Internet users can do to protect themselves from the recently uncovered "He
File picture illustration of the word 'password' pictured through a magnifying glass on a computer screen, taken in Berlin May 21, 2013. Reuters/Pawel Kopczynski/Files

Bill Burr, who was known as a guru in securing passwords, has now acknowledged that the guidance he published fourteen years ago only makes people more susceptible to hackers. In 2003, his advice to make passwords that are garbled strings of letters, numbers and special characters was accepted as gospel around the world.

But the former employee of the US National Institute of Standards and Technology (NIST) has admitted that such technique makes it easy for hackers to determine people’s passwords. “In the end, it was probably too complicated for a lot of folks to understand, and the truth is, it was barking up the wrong tree,” the 72-year-old told The Wall Street Journal.

Burr, who programmed US Army computers during the Vietnam War, said he had wanted to base his advice on real-world password data. However, too little was available at that time, so he felt pressured to publish quickly.

According to security researchers, the problem is that in relative, Burr’s advice led to several people making highly predictable “complex” passwords. An example is password “Padollars dollars w0rd.”

Due to the stress surrounding difficult passwords, people tend to utilise similar ones on different sites. So if hackers obtain access to log-in details in a data breach like the Yahoo hack, they can utilise the same password to access a victim’s account on other sites.

Head of Government Communications Headquarters’ (GCHQ), National Cyber Security Centre Ciaran Martin was one of those who criticised the standard advice for passwords. He told BBC Radio 4’s Today program that even his own “best technical people” would struggle to remember complex, changing log-ins for several accounts.

How to make better passwords

Cryptography experts have emphasized the benefits of long, simple passwords composed of strings of ordinary words. Author Randall Munroe calculated that it would take 550 years at 1,000 tries per second to crack the password “correcthorsebatterystaple” while “Tr0ub4dor&3” could be cracked in just three days.

Burr also has a new piece of advice, and that is for people to make it a habit to change their passwords regularly. Changing passwords must be done at least every 90 days.

This was embraced by corporations, universities and government bodies. It provides those grappling with ever-increasing numbers of passwords an even greater incentive to adopt easy combinations.

Several people have come to “update” their passwords with the simplest tweaks. For instance, “Pa55w0rd1” becomes “Pa55w0rd2”, “Pa55w0rd3” and then “Pa55w0rd4.”

Read More:

Same-sex marriage vote: Aussies reportedly have until August 24 to register

Electricity retailers to help Aussie households pay cheaper bills with 'fact sheets'

CBS News/YouTube