You’ve probably followed this go-to password strategy countless times online: a letter, number, at least one uppercase letter and a special character.
But the person that helped spread this doctrine is now walking it back, saying it’s largely been ineffective.
“Much of what I did I now regret,” said Bill Burr — not the comedian — told the Wall Street Journal in an interview published Monday. “It just drives people bananas and they don’t pick good passwords no matter what you do.”
The 72-year-old outlined what has become password Gospel while working for the National Institute of Standards and Technology in 2003. Burr suggested the numbers-letters-special character combo in an eight-page manifesto titled “NIST Special Publication 800-63. Appendix A,” and recommended users change their info every 90 days.
Instead of safeguarding accounts, the strategy backfired. The formula became a nuisance to users; they’d make small, negligible changes to their passwords that were easy to guess by hackers. Burr was under pressure to publish something quick, he said, and had little to lean on for research beyond a paper written in the 1980s.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Mr. Burr to WSJ.
Now, NIST is scrapping Burr’s suggestions altogether.
“We ended up starting from scratch,” said Paul Grassi, a standards and tech adiser at NIST.
According to Grassi, the widespread password outline spread by Burr “actually had a negative impact on usability. ” Grassi led a two-year revamp of NIST’s suggestion, and published its updated commandments in June.
The new NIST suggestions strip away the 90-day password time limit and jettison special character requirements. Long but easy-to-remember phrases, rather than funky amalgams of letters and numbers, are the way to go, per NIST.
6 Tech Giants Shaking Up News, From Jeff Bezos to Laurene Powell Jobs (Photos)
Tech leaders are increasingly intertwined with the news business. While some want to support old properties, one set out to destroy a new one. Here they are.
Jeff Bezos – Washington Post
The Amazon founder purchased the Washington Post in 2013 for $250 million in cash. President Trump has called the paper the “Amazon Washington Post.”
The Facebook co-founder purchased The New Republic in 2012, becoming executive chairman and publisher. However, he sold the venerable political magazine to Win McCormack in 2016, saying he "underestimated the difficulty of transitioning an old and traditional institution into a digital media company in today’s quickly evolving climate."
The eBay founder is a well-known philanthropist who created First Look Media, a journalism venture behind The Intercept. Inspired by Edward Snowden's leaks. Omidyar teamed up with journalists Glenn Greenwald, Jeremy Scahill and Laura Poitras to launch the website “dedicated to the kind of reporting those disclosures required: fearless, adversarial journalism.”
The PayPal co-founder doesn’t own a news organization, but he makes this list because he essentially ended one -- Gawker -- proving once again the power of an angry billionaire. Thiel secretly bankrolled Hulk Hogan’s sex-tape lawsuit against Gawker Media because he was upset that the website once outed him as gay. Hogan won the defamation lawsuit against the site that sent its parent company into bankruptcy, and Gawker.com is no longer operating.
OK, so Facebook isn’t technically a news organization… yet. However, the company is preparing to launch its much-anticipated lineup of original content later this summer, and there are also signs that it's on the verge of becoming an even bigger media platform.
Campbell Brown, Head of News Partnerships at Facebook, confirmed last week it’s developing a subscription service for publishers willing to post articles directly to Facebook Instant Articles, rather than their native websites.