The “NIST midlevel manager” who came up with the crazy password requirements – well, technically, recommendations. You know, must include special characters, uppercase and lower case letters, alphanumeric – says that he’s sorry and that “much of what [he] did [he] now regret[s].”
As the Wall Street Journal explains, Bill Burr was a manager at the NIST – not a security researcher – who was under a deadline to produce a document on password security. In addition to not being a security researcher, he was also hampered in his efforts by the lack of and access to data. In the end, he based his guide on an outdated white paper.
And ever since, people all over the world have been struggling with passwords.
It Doesn’t Work (But For the Lack of Trying… and Not)
Burr should give himself a break. The reason why his requirements don’t work is because people are quite tenacious when it comes to abusing loopholes in the digital realm. That, and the inexorable progress when it comes to the speed of computing hardware.
The NIST document made its debut in 2003. We’re living in 2017. When you consider that Moore’s Law – the one regarding computer processing power, that it doubles every two years or so – is still valid as of right now, it means that today’s processors are 128 times faster than those of 2003; password lengths, though, have barely budged from between 8 and 12 characters long.
In addition, in the realm of brute-forcing passwords, pure CPU processing power has been surpassed by other approaches. GPUs have left them in the dust, as have distributed and parallel processing.
In the face of tremendous brute-force processing power, there’s only a handful ways to ensure that a password can retain its integrity in the face of attacks:
- Make the password longer,
- Increase the number of values for each character (e.g., lowercase alphabet is 26 values; upper and lowercase is 52 values; the addition of numbers to that is 62 values; etc.),
- Change your password frequently, or
- Slow down how quickly a password is processed (e.g., even if hardware can run through a gazillion passwords per second, the system is designed so that it can check one password per second).
Data breaches the world over have shown that certain passwords are used over and over. Regardless of how long or crazily complicated a password is, if a sizable sample of the population uses the same passwords, #1 through #3 become meaningless.
And, #4 becomes meaningless when you have data breaches the world over.
People may complain that frequent password changes, complex passwords, etc. “don’t work” but what’s the option? Never change passwords? Make passwords as simple as possible?
Regarding That XKCD Comic…
And, of course, the WSJ made a reference to the classic XKCD strip regarding “correcthorsebatterystaple” as a password.
The problem with creating passwords using this approach is that, when enough people in the population start using it, it will become the weak link of passwords.
As noted in the comic strip (which is a bit dated, from 2011), correcthorsebatterystaple has 44 bits of entropy, which is based on 4 words randomly chosen from a list of 2048 common words. It notes that it would take hundreds of years to break.
A comparable way of looking at this is that it offers the same level of protection of a password that is 8 characters long, each character chosen from a list that is made from lower and uppercase alphabet letters; all numbers from 0 to 9; and four special characters.
Here’s the thing: researchers have shown that they can brute-force passwords with 10 characters or less within a couple of weeks. Indeed, passwords have to be about 22 characters long or so to pass muster.
So, hitting on correcthorsebatterystaple wouldn’t take hundreds of years; I doubt if it would take a week – using an iPhone, no less. Could people use words from a bigger, thicker dictionary? Sure. But they won’t. Mesothelioma will show up – and its spelling be correctly recollected from memory – as often as Tr0ub4dor&3 (There is the advantage, though, that mesothelioma can be looked up in a dictionary).
Of course, you could also use the same 2048 words but make the password longer (more than 4 random words)…but the equivalent to the 22 characters I mentioned above would be 12 randomly picked words. All of a sudden, it’s not so easy to remember anymore.
Take a bow, Mr. Burr. It’s not that your guidelines don’t work; it’s just that technology razes everything in its path, and most humans are terrible at remembering anything that is unfamiliar and beyond a certain length.
Related Articles and Sites: