A computer security expert who told the world how to write computer passwords 14 years ago has admitted today that he got it wrong.
14 years ago, he said that using capital letters, numbers and symbols within the context of a real word – Te3hn7lo6y – would make it harder for hackers. It was initially distributed by US government’s National Institute of Standards and Technology.
“Anything published under the Nist banner tends to be influential, so these guidelines have had a long lasting impact,” said Professor Alan Woodward, from the University of Surrey – to the BBC.
>See also: Password ignorance will lead to cyber attacks
Today, however, Burr has acknowledged that it could actually make it easier for hackers to steal passwords, contrary to common believes. It is a huge career regret.
Bill Burr’s advice acted as a huge influencer to public opinion concerning passwords. On top of the complexity he suggested, he also advised users to change passwords every 90 days.
But, Burr said in an interview with the Wall Street Journal that his theory came unstuck in practice, and his 2003 manual was “barking up the wrong the tree”.
Indeed, modern guidelines dissuade users from changing their passwords every few months, because people usually only make small adjustments to their passwords, which are easy to deduce.
At the same time, it is more difficult for hackers (and their computers) to crack a random mixture of words, compared to a word that has numbers and symbols integrated throughout it – contrary to Burr’s theory.
>See also: 3 tips to help make and manage complex passwords
“We’ve known for some considerable time that these guidelines actually had a rather unfortunate effect,” continued Woodward. “For example, the more often you ask someone to change their password, the weaker the passwords they typically choose. And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.”
Ollie Hayler, business development lead – PalmSecure & Surient (UK&Ireland), Fujitsu Cyber Security, provides his insight into what constitutes a secure password:
“It turns out neither using a combination of symbols, numbers and letters nor changing passwords periodically can keep your accounts safe from cyber threats. Coming from a computer security expert who previously advised thousands of people on how to write computer passwords, this means only one thing: hackers are constantly innovating and so should we.”
“Widely regarded as unsecure, passwords and PIN numbers are becoming a thing of the past as they can be copied, stolen, guessed or shared easily. Both customers and businesses now have a far more secure choice of authentication and verification through the use of biometrics.”
>See also: The need for better password security
“One example that stands out is palm vein. This technology combines the convenience of a contactless sensor with biometric security, and uses image recognition and optical technology to scan the normally invisible vein pattern of the palm. It’s proven to be highly accurate and highly resistant to counterfeiting, impersonation, and other dishonest actions. It is currently being used in hospitals, and for financial transactions at ATMs and kiosk terminals at several banks around the globe. For users, the system is more convenient and faster than typing a password – with identity verification usually completed within one second. Each palm vein pattern is unique and it stays the same throughout a person’s life.”
“While we don’t expect biometric adoption to happen overnight, biometric verification of identity on a personal device will, in one way or another, become a standard identification process.”