THE DUDE WHO THE National Institute of Standards and Technology (NIST) thought should write what should become de facto password rules has apologised for his efforts, some 14 years later and countless password hacks down the line.
Bill Burr, a former manager at the National Institute of Standards and Technology (NIST), put the rules together in 2003. From the sounds of an interview in the Wall Street Journal, they were just dumped in his lap. Whatever, a decade and a half later Burr has something to add, and it is an apology.
Burr is sorry for making password selection too much of a tricky task: "Much of what I did, I regret," he said.
What he did was create page turning document the "NIST Special Publication 800-63. Appendix A", and made up those rules that say you need a password made up of capital and lowercase letters, numbers and characters and that you ought to change it about once every quarter year.
Burr bared his heart in the Wall Street Journal, telling the paper that the rules were cribbed from documents from the 1980s and are perhaps unnecessarily complicated.
"In the end, [the advice] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree." It is not terrible advice of course, it's not exactly your football team or you date of birth, but it does leave users open to some password abuse and potentially easy cracking.
The NIST has torn up that old rule book and will come up with a new one soon, and it should make for a very interesting read and save the ‘Password' posse from future penetration. This one has been written by NIST technical advisor Paul Grassi, and should hopefully and assumingly recommend slightly more inventive and prophylactic password picking. µ
Hype for HyperThreading
Hey kids, leave them iPhones alone
The Mac lady sings
Babel in yo ear