In 2003, Bill Burr—then a mid-level manager at the National Institute of Standards and Technology (NIST)—wrote a primer that became the go-to reference guide for setting secure passwords. Now, Burr and NIST are revising their recommendations, saying the original guidance was inaccurate and ineffective, Robert McMillan writes for the Wall Street Journal.
How it all started
Burr in 2003 wrote an eight-page primer, titled "NIST Special Publication 800-63. Appendix A," recommending that people use special characters, capital letters, and numbers in their passwords. The document also advised people to change their passwords every 90 days. The guidance was supposed to help people strengthen their passwords by inserting randomness into the process.
According to McMillan, "The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities, and large companies looking for a set of password-setting rules to follow."
Now, however, Burr and NIST are revising their recommendations for secure passwords, saying the original advice was largely ineffective and incorrect. "Much of what I did I now regret," Burr said.
How it went wrong
Burr—who's now retired—explained that when he compiled the original document, there wasn't much real-world password data. Further, when he asked NIST administrators if he could review the passwords they used in their network, they said no based on privacy concerns. Lacking any empirical data, Burr primarily relied on a white paper written in the mid-1980s to compose the guidance.
According to Burr, the resulting guidance "was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree." He added, "It just drives people bananas and they don't pick good passwords no matter what you do."
For instance, the cartoonist Randell Munroe in a well-known example demonstrated that it would take about 550 years to crack the password "correcthorsebatterystaple." In contrast, it would take just three days to crack Tr0ub4dor&3, a password written in line with Burr's original recommendations. According to McMillian, Munroe's calculations were verified by computer-security specialists.
And recent research suggests that while people tend to think their passwords are unique, we generally gravitate toward variations of the same password combination, such "iloveyou," "princess," and "monkey," McMillian writes. Cormac Herley, a principal researcher at Microsoft, said, "It's not really random if you and 10,000 other people are doing it."
In June, Paul Grassi, an NIST standards-and-technology adviser, led the rewrite of Special Publication 800-63.
The new guidelines recommend people select long, easily remembered phrases as passwords that don't necessarily need to contain special characters and update the passwords only when there's an indication of a security breach. According to Grassi, the original guidance recommending a password change every 90 days and urging people to use special characters did little for security and "actually had a negative impact on usability."
That said, Grassi said Burr is likely being overly critical in his critique of the original document "[Burr] wrote a security document that held up for 10 to 15 years," Grassi said. "I only hope to be able to have a document hold up that long" (McMillan, Wall Street Journal, 8/7).
Advisory Board's take
Phil Beyer, Senior Director of Information Security, The Advisory Board Company
Here are four things health care organizations and their staff need to know about password security:
1. Compliance is still crucial. For better or worse, current audit requirements often include minimum standards for password length, complexity, and rotation, and auditors will continue to ensure such policies are in place. Even if one of the original authors of password policy currently disagrees with his own recommendations, your organization's compliance with its own password policy and auditors' standards can still be subject to review during an audit.
2. Make your passwords long. All of the data and research available shows that the best password is a long one—more than 20 characters—that is easy for you to remember and hard for a computer to guess.
3. Rotate passwords, and use unique ones for different services. Rotating passwords reduces your susceptibility to an automated attack by an unskilled adversary who purchased your company's username and password database on the black market. In addition, using a unique password for every online service you use—and storing them all in a password vault (such as LastPass, KeePass, and 1Password) —is a strong practice that is vulnerable only to a targeted attack against yourself.
4. Using passwords without complementary security controls is asking for trouble. Passwords have never been and will never be effective as the sole method of authenticating an individual. They are easily compromised by unskilled and advanced attackers alike. As such, organizations should use passwords as one of a series of complementary security controls.
To make the best use of passwords, health care organizations should look for every opportunity to secure sensitive and confidential systems and data with additional authentication factors, such as physical access cards, digital certificates, hardware or software tokens, and biometric readers.
To learn more, join us for our Health Care IT Advisor National Meeting, which will feature a session on "Security and the C-Suite Leadership’s Role in Building a Cyber-Resilient Organization." In addition, check out the slides from our resent presentation, "Cyber Security: Law and Disorder," on understanding new challenges in cybersecurity and how provider organizations can prepare.