The US expert who wrote the standard for password security now says he was wrong - and it’s time for a new way.

By Louise McCabe and Stephen Craft

In 2003, Bill Burr was a technology manager for the US National Institute of Standards and Technology (NIST) when he was tasked with writing some brief guidelines for password security. He recommended that passwords have a minimum of eight characters with a mix of capitals, numbers and symbols, and be updated frequently.

Soon Burr’s rules were adopted by organisations around the world. Now he says he not only regrets his recommendations, but that they have inadvertently led people to choose poor passwords that are actually easier for hackers to crack.

The aim of Burr’s rules was to defeat what are known as “brute-force” attacks, where hackers use sheer computing power to try thousands of possible passwords, until they stumble on the right combination. By adding more character sets to the mix, you exponentially increase the number of possible combinations an attacker must try.

Consider an eight-character password (e.g. password). If it contains just lower case letters, the number of possible combinations is 26^8, around 208.8 billion. This sounds impressive – until you realise it can take as little as 1.8 seconds for a modern supercomputer or botnet to break such a password.

Add uppercase letters (e.g. PassWord), and the number of combinations is multiplied 256 times, to 52^8. Add digits and symbols (e.g. [email protected]\$\$w0rd), and it becomes as high as 95^8, requiring much more time to crack, even with an enslaved botnet army hard at work.

The problem, says Gernot Heiser, Scientia professor at the University of New South Wales’ School of Computer Science and Engineering, is that today’s hackers rarely start with a blank slate.

Instead, they begin by searching for English words plus common substitutions, such as \$ for S. That makes them very well adapted to breaking exactly the kind of [email protected]\$ users tend to create when struggling to comply with Burr’s rules.

### How to choose a strong password

The solution, says Heiser, is to use long, memorable passphrases rather than passwords. Ideally, they would be an unforgettable combination of unexpected words, rather than a predictable English sentence. The more characters you add, the longer they’ll take to crack.

“If you choose longer, more complex passphrases with random words, a brute force attack becomes massively harder mathematically,” says Heiser.

He also says Burr’s original advice on changing passwords frequently is flawed – if only because it encourages users to choose shorter and simpler passwords that can be altered with relatively small changes ([email protected] in January and [email protected] in February, for example).

“The added protection of changing passwords is negative,” Heiser explains. “It’s safer to keep a longer, more complex password than to change it regularly to a simple one with variations that are easier to remember, but simpler to crack.”

### Bring in a password manager

As more of our lives are lived online, we collect more and more passwords. Repeating them across sites is dangerous, since a data breach at a relatively unimportant service provider can leave other, more critical sites wide open. So how are we to remember them all?

Associate professor Mark Gregory from the School of Engineering at RMIT uses the same method he’s employed since the 90s: putting his passwords into a text file, then encrypting it.

“I have about 1000 passwords now, so they’re impossible to remember,” says Gregory. “By encrypting them, I only have to remember one super password to access all of them.”

A more formal version of this same idea is to use a password management system readily available online.

They store all of your passwords in the one place, are encrypted, with only one password for you to manage.

You only need to remember one password to access the system — it takes care of the rest. While premium password managers charge a usually nominal yearly fee, Gregory points out that it’s a small price to pay compared to the potential devastation caused by criminals accessing your data, impersonating you, or getting into your bank account.

Matthew Byrne is a principal consultant in threat intelligence and cyber defence at Mandiant, and a lecturer at the Australian Centre for Cyber Security. He suggests adding another layer of protection, by enabling the multi-factor authentication option offered by most online banks and major service providers, including Facebook, Gmail, Skype and LinkedIn.

“Using the multi-factor authentication feature means you must use at least two steps to access your information,” Byrne explains.

“This could be entering a code sent to your phone or answering a question that only you know. So if someone gets your password, they’ve only got half of what they need to break in and steal your identity.”

Both Heiser and Byrne agree that the best security available is a combination of password, multi-factor authentication and biometrics, such as fingerprint or facial recognition. This makes it very hard for a hacker to get past, but even this isn’t completely foolproof, as the recent hack of the Samsung S8 iris scanner demonstrated.

“People have fooled fingerprint and iris scanners with photographs,” says Heiser.

This list is from SplashData’s list of the top 100 worst passwords for 2017, taken from leaked lists of hacked passwords, from most to least common.

123456
qwerty
letmein
football
iloveyou
welcome
monkey