In 2003, Bill Burr worked as a mid-level manager at the National Institute of Standards and Technology. He and his colleagues were instructed to write a boring instruction – a document with instructions for selecting and managing passwords, which was to become a recommendation for US government organizations. The staff completed the assignment – and this document became known as NIST Special Publication 800-63B. Personally, Burr wrote Appendix A to this standard (Appendix A) – an eight-page example that gives practical advice on how to choose and manage passwords. Bill Burr recommended alternating figures, special characters, lowercase and uppercase letters, and periodically changing passwords.
NIST's recommendation has evolved over the years into a standard that has become mandatory for execution in many government institutions, and now the author himself is in full He realized the scale of his mistakes and now he is very sorry about what he did, writes The Wall Street Journal .
The absurd recommendations for the selection and management of passwords in their time became a storyline of the famous XKCD comics.
It is unlikely that the manager of the National Institute of Standards and Technology could imagine that his recommendations would be so widely spread Immutable truth for millions of users and a huge number of companies, government agencies, educational institutions and others. All of them set the rules for selecting and managing passwords in accordance with the recommendations of NIST.
But over time, one problem emerged. It turned out that these recommendations are wrong, they do not contribute to improving computer security.
First, as noted above, they provide less entropy than long password phrases, while they are much harder to remember. Try to memorize the erratic character set in upper and lower case, mixed with numbers.
Secondly, the recommendation to change passwords every 90 days was especially incorrect. If at least one complicated password from letters with numbers can be remembered by a user, how can he change it after 90 days and remember the new password? As practice shows, most people solve this problem in the most logical way: they make minimal changes in the password. For example, simply change the last digit by adding one: Pa55word! 1, Pa55word! 2, Pa55word! 3 and so on. This is absolutely not conducive to improving security.
Mr. Burr now is 72 years old, he is retired. In a commentary The Wall Street Journal he said that he regrets most of the deed. Perhaps he does not need to be so strict towards himself. Who would have thought that NIST's recommendations would spread so widely and become "golden rules" for system administrators? In addition, at that time there was not enough academic research on the security of passwords, and it was difficult to write really competent recommendations, and Burr was pressed by the authorities with a demand to quickly finish the job. A specialist who programmed military mainframes during the Vietnam War simply did not have time to thoroughly study the topic. He even asked administrators to let him look at the real passwords of NIST employees for analysis, but he was surprised to be denied for reasons of protecting confidential data. Administrators were surprised even by the request. Without any empirical evidence, Burr was guided by the scientific research of the 80s – this is the best that was found. As it turned out 15 years later, he made the wrong choice.
In June 2017, the two-year work on the revision of the standard NIST Special Publication 800-63B was completed. Initially, it was planned to be limited to easy edits, but as a result, a group of employees had to rewrite everything from scratch. In the new rules there is no mandatory requirement to use special characters (such as interrogative and exclamation marks) and there is no requirement for mandatory password change.
Now the rules for entropy from the Munroe comics have finally reached NIST experts – and the updated standard recommends the use of long password phrases easy to remember, but difficult for brute force.
Changing passwords is now recommended only if there is a likelihood of their compromise, that is, if there are signs of leakage.
Well, at last justice triumphed. What many security experts have said is officially recognized at the NIST level. Millions of users who stupidly changed passwords every three months, choosing lowercase and uppercase letters, numbers and special characters, intuitively felt the absurdity of this process – and now they too can breathe a sigh of relief. The new rules assume the use of password phrases, which are much easier to remember. These can be lines from a poem or arbitrary sentences. To bruteforce 40-character phrases, hackers will have to use new dictionaries with graphs combining words.
Researchers say that even a phrase of four arbitrary words provides a sufficiently high level of security to reliably protect against brute force.
All users every day Spend about 1300 years on a set of passwords, so the correct recommendations – this is very important. With password phrases, the time spent by mankind, however, will increase even more. But then the entropy of passwords will grow, which is more important.