Why NIST’s Bill Burr shouldn’t regret his 2003 password advice

Back in 2003, an engineer called Bill Burr wrote the official guidance on password security for the US National Institute of Standards and Technology (NIST), since widely referenced as the last word on the subject for government departments, large organisations and, latterly, consumers.

Fourteen years on, and a year after NIST overhauled the document from scratch, Burr has told the Wall Streel Journal he regrets flaws in his advice, an unusual and brave admission for any professional to make.

Burr sums up his 2003 approach:

It just drives people bananas and they don’t pick good passwords no matter what you do.

We think Burr is being hard on himself, but let’s do him the courtesy of outlining what he thinks was wrong with the influential but oft-mangled eight-page NIST Special Publication 800-63, appendix A.

At its core was the simple orthodoxy that users should choose alphanumeric passwords sprinkled with capitals and special characters. These should be changed regularly.

The first part of this advice forms the basis of almost every password policy in existence, along with a requirement that passwords be at least X (usually now eight) characters long.

This wasn’t bad advice back in 2003 given that many users chose comedy passwords such as “password123”. Applying NIST’s rules, they could change that to the 12-character “P@ssW0rd123!” and congratulate themselves on how easily they had boosted their security.

Except, we now know, they hadn’t, for reasons that are reminiscent of what economists call the tragedy of the commons. To simplify, this states that what appears a good idea for an individual stops being so if everyone does the same thing.

If one person chooses a “P@ssW0rd123!”, in theory it’s secure. But when lots of people use a similar pattern, attackers have something predictable to aim at.

Realising that imposing generic password rules makes people gravitate towards common patterns, NIST now recommends that people focus more on length while checking existing passwords against a dictionary of known bad (ie, common, guessable) combinations.

The second part of Burr’s advice – changing passwords regularly – probably became one of the biggest banes of professional IT because it generated work and often wasn’t effective when people made only minor tweaks. The advice today is to change passwords only when necessary (such as after a breach), which is good news for the vast number of people who’ve never bothered anyway.

Burr and NIST were still right to offer some advice because the alternative of offering no or heavily qualified advice wouldn’t have saved the world from bad passwords. Indeed, large numbers of users still ignore even the baseline of Burr’s 2003 rules and use hopeless passwords where they are allowed to – any number of bad passwords revealed in data breaches tells us this.

A fundamental challenge is that what constitutes a secure password changes over time as attackers up the ante. There’s also a need to balance usability. Make a password too easy (short, predictable) and attackers will uncover it, but make it too hard (long, complex) and users will take shortcuts.

What, then, has really changed for password security between 2003 and now?

Ironically, it’s the realisation that passwords, no matter how well crafted, are no longer enough on their own. A single phishing attack can grab even the best password as can the breaching of a poorly secured database. Even the best get re-used over and over.

The world still uses passwords but increasingly supplements them with systems of authentication and identity that take decisions out of users’ hands, something that is at the heart of NIST’s revised guidelines.

Anyone who still wants some password-crafting advice without ploughing through NIST’s document might start with how to pick a proper password or Naked Security’s busting password myths podcast but only after reading how difficult it is to craft a password that can withstand even 100 guesses.