Skip to main content

Man responsible for strong password requirements regrets his 2003 guidelines

strong password
Image used with permission by copyright holder
The man responsible for your requirement to use a combination of lower-case letters, upper-case letters, numbers, and symbols in passwords at least eight characters long is now regretting his advice. Former National Institute of Standards and Technology manager Bill Burr recently admitted in an interview with The Wall Street Journal that his 2003 document about crafting strong passwords and changing them every 90 days was somewhat off the mark.

At the time, he said that users will choose an easily remembered, easily guessed password, and likely one stemming from a batch of “a few thousand commonly chosen passwords.” In turn, hackers trying to gain access to user accounts, computers, and so on would try the most likely chosen passwords first. But even though services would reject specific passwords given their common use, Burr suggested a more secure alternative.

On page 52 of the 2003 document, he clearly states that systems should rely on a password of eight characters or more that are selected from an alphabet of 94 printable characters. This password should also include at least one upper case letter, one lower case letter, one number, and one special character. Systems should even rely on a dictionary that prevents users from including familiar words and using their login name as the password too.

The problem with this method is that users tend to have patterns when creating a password. For instance, they may take a familiar word, such as “password,” and alter it slightly to meet the requirements. The result could be something like P@zzwurd2017, which isn’t all that original, and something we conjured up in a matter of seconds.

Right now, systems give users a thumbs-up when they follow the current standard and even provide a visual measurement tool indicating the password’s strength against hacking. But then users are requested/forced to change their password every 90 days, thus they may use the same base word, but alter the character usage to please the update process (such as P@ssw0rd2K17).

When the guidelines were created in 2003, they were not based on collected data. System administrators would not cough up any passwords for examination, thus Burr turned to a whitepaper published in the 1980s — long before the general American population purchased a modem and jumped onto the world wide web using Netscape or America Online.

Fast forward to 2017, and the National Institute of Standards and Technology provides new guidelines for systems to follow. Authored by technical adviser Paul Grassi, it tosses out much of what Burr established years ago. But Grazzi admits that Burr’s system lasted for 14 years, and hopes that his revised password ruleset lasts just as long. He suggests that systems remove the 90-day password refresh and the requirement for special characters.

Ultimately, the best practice for everyone is to throw out familiar, easily linked ideas, such as the name of your favorite movie or pet. Instead, create a phrase of words that doesn’t make much sense, and does not include spaces. Password managers like LastPass are helpful too when you are required to remember a multitude of unique passwords across dozens of services.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Brighter isn’t better for OLED monitors. An expert told me the surprising reason why
An OLED gaming monitor showing an HDR demo.

"That's just too dim."

It's the same feedback I always get when reviewing OLED gaming monitors, which have made waves throughout this year. The criticism puts a damper on the otherwise jaw-dropping color and perfect contrast. The brightness measurements certainly seem to affirm that suspicion, showing they sometimes provide more than half as much brightness of a traditional LCD display. But are they really too dim?

Read more
One of Samsung’s best curved monitors is $600 off for the holidays
The Samsung Odyssey G9 monitor on a desk in an apartment.

Samsung has one of the best monitor deals for avid gamers who want their games to sparkle on screen. Today, you can buy the Samsung 49-inch Odyssey G9 DQHD QLED Curved Gaming Monitor for $900, saving a huge $600 off the regular price of $1,500. A fantastic investment for anyone keen to enjoy a truly immersive gaming experience, it’s part of Samsung’s cyber week deals season so don’t count on it sticking around for long. Here’s what we know about it.

Why you should buy the Samsung 49-inch Odyssey G9 DQHD QLED Curved Gaming Monitor
Keen to rival the best gaming monitors, the Samsung 49-inch Odyssey G9 DQHD QLED Curved Gaming Monitor is perfect for immersive gaming. It’s Samsung’s largest 1000R gaming monitor, matching the curve of the human eye while offering the screen space of two 27-inch panels.

Read more
This Alienware gaming laptop with an RTX 4090 is $700 off today
A person types on an Alienware M15 at a desk.

One of the best gaming laptop deals comes, predictably, from Dell. Today, you can buy the Alienware m16 gaming laptop for $2,800 thereby saving $700 off the usual price of $3,500. A high-end gaming laptop, this is one that will prove to be a fantastic investment for your gaming future. If you’re keen to learn more, take a look below at what we have to say about it or simply hit the buy button to get straight to the specs and making a purchase.

Why you should buy the Alienware m16 gaming laptop
Alienware is responsible for many of the best gaming laptops with a penchant for offering high-end hardware. This particular model boasts a 13th-generation Intel Core i9 processor teamed up with a huge 32GB of memory and 2TB of SSD storage. Continuing its powerhouse reputation, it also has an Nvidia GeForce RTX 4090 graphics card with 16GB of dedicated VRAM. That’s a fantastic set of specs to ensure that you won’t have any trouble playing the latest games for a long time to come. If you’re looking ahead and want to make sure you can play games in style for a while to come, this is the solution for you. It won’t become out of date any time soon.

Read more