Mercredi, 18 Octobre 2017
Latest news
Main » Don't change pa$$wØrds… I got it wrong, says IT expert

Don't change pa$$wØrds… I got it wrong, says IT expert

10 Août 2017

Frequent changes in passwords, known as "transformations", were not effective either as users would often make minor changes like replacing the number 1 with a number 2. "I would recommend not trying to remember all your passwords as it is impossible to do if they are really secure".

The person in question is Bill Burr, who worked for the United States government in 2003, and wrote what would become the "bible" of passwords.

In this interview Burr suggested that his research for this document came mostly from a white paper published in the 1980s.

The man who wrote the book on password management has a confession to make: He blew it.

Burr, a former manager at the National Institute of Standards and Technology (NIST), was responsible in 2003 for putting together a set of recommendations and standards around creating secure passwords. The correct advice is not that people should never provide a password over the phone, but that they should provide it only if they initiated contact with the party requesting it.

Here's hoping websites catch on fast. An O becomes a zero, a 1 becomes an exclamation point, and now you have what looks like an impossible-to-crack password.

Now, Burr says that advice was a mistake. "Appendix A", and recommended users change their info every 90 days. These changes are easy to guess and add little in terms of security. According to a new report by the Wall Street Journal, you should say forget it.

Cybersecurity experts say certain password rules are ineffective. So, use strong passwords on these sites, and, of course, turn on multi-factor authentication when available.

The new NIST suggestions strip away the 90-day password time limit and jettison special character requirements. Lead adviser Paul Grassi said that those rules "actually had a negative impact on usability". These are likely to be easier for you to remember, but harder for nefarious individuals to decipher.

The advice will also call for regular, enforced password changes to be ditched unless there's a security breach. It will be harder for nefarious individuals and groups to hack into accounts where a long string of words have been used rather than a "code" which nearly always includes important dates and numbers or just slight variances from their previous password.

As explained in the XKCD comic below, a password like "Tr0ub4dor&3", which adheres to Burr's original guidelines, would take just three days to crack and is hard to remember.

Don't change pa$$wØrds… I got it wrong, says IT expert