The “Guru” who had given an advice to the users to change their password every 90 days to protect their data is now regretting his own words.
Bill Burr, the author of an influential guide to computer passwords, disclosed his views in an interview with the Wall Street Journal, about the tips he gave about 16 years ago to the computer users.
Being the author of an influential guide to computer passwords, he had advised people not only to muddle up the letters of the password by adding capital letters, symbols and numbers to make the protected password “pr0t3cT3d4!”, but also he had advised to change a password every 90 days.
Now Mr Burr says that the problem has emerged proving the theory comes unstuck in practice, he also admits that his 2003 manual was “barking up the wrong tree”.
Current guidelines in this regard, no longer suggest passwords should be frequently changed, because people diversify their passwords by making only small alterations to their existing passwords – for instance, changing “sImrun” into “sImrunn”- making the codes relatively easy to deduce.
It has also been demonstrated that it takes longer time for computers to crack a random mix of words – such as “Black Chimpanzees brown caT” – than it enables them to guess a word with easy-to-remember substitutions – such as “br0k3n”.
Mr Burr’s original advice was distributed by the US government’s NIST (National Institute of Standards and Technology).
It has since been amended many times, with the most recent edition being released in the month of June.
Prof Alan Woodward, from the University of Surrey said,
“Anything published under the Nist banner tends to be influential, so these guidelines have had a long lasting impact,”
“But we’ve known for some considerable time that these guidelines actually had a rather unfortunate effect”.
For instance, the more often you advice someone to change their password, the weaker the passwords they choose typically.
“And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.”
Dr Steven Murdoch, from University College London said,
“It’s good that password advice is now being updated to be based on evidence,”
“But there is still traditional advice in other areas of computer security being perpetuated despite us knowing it won’t work.
“We need research to tell us what security advice will actually improve the situation, and for the government and companies to pay attention to results.
Britain’s National Cyber Security Centre has issued its guidance on the matter in 2015.
It recommended that organisations have abandoned a policy of pushing their users into continuous password resets, and that they should be supporting the use of password managers – programs that can securely store hundreds of different logins, avoiding the requirement to memorise each one.