Standards for Complex Passwords, Now Useless?

There are a lot of ways to create “complex” passwords – use different passwords for different accounts, do not use names and special dates, use a combination of letters, numbers and characters, etc. Having a complex password increases password strength, but is it enough to keep your accounts secure?

Bill Burr, the person credited with inventing these password standards, now admits that they’re basically useless.

In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.

The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.

“Much of what I did I now regret,” Bill Burr told The Wall Street Journalrecently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” (source)

 

There are various methods hackers use to steal passwords, and their tactics are getting more and more sophisticated everyday. There are phishing pages, mass theft, key loggers, brute force attacks, the list goes on. A complex password may take longer to crack, but in the end, a strong password is not enough.

To keep your accounts safe, use a second layer of security like two-factor authentication (2FA). With 2FA, users log in with a username, password, and a second factor to validate their login, like a security token or a phone authentication app.

Our 2FA solution, GreenRADIUS, is an easy-to-use, on-premise solution that is safe and simple for IT staff and end users. Because it is a self-contained virtual appliance, deployment is convenient and maintenance is easy.  With a strong 2FA solution like GreenRADIUS, businesses can overcome the weaknesses of password-only logins.

Liked this post? Follow this blog to get more.