IT expert regrets complex password advice

Claudine Rigal
Août 13, 2017

Carl Gottlieb, boss at security consultancy Cognition told our sister brand CRN that cybersecurity specialists have been encouraged by the NCSC to break away from traditional password protocols.

Bill Burr (no not the comedian), now retired, was a manager at NIST (National Institute of Standards and Technology) who recommended this system in 2003 in a document that was then adopted by everyone and his motherboard.

Despite his manual often being referred to as "the password bible", Burr has now suggested in an interview with the The Wall Street Journal that his advice could have may have been wrong.

It's hard to create a secure password.

The Wall Street Journal cited a widely circulated cartoon in which creator Randall Munroe illustrated how it would take a computer 550 years to crack the password "correcthorsebatterystaple".

Well, at least they're doing something about it. NIST has just finalized their updated recommendations that are quite different from what you're used to. This is instead of numbers and characters.

He added, however, that the cybersecurity industry can itself be guilty of overcomplicating password security - arguing that a method as simple as having a logbook of passwords, kept in a secure place, can be as effective as any other method in certain situations. It's tough to even make strong password, but most of the website you'll visit mostly recommend combination of numbers, capitals and lowercase letters and special characters.

"If you try and think what the value of changing your password regularly is, it's hard to find the rationale for why it was the advice".

The document also suggested using two-factor authentication - where a code is sent to the user's advice to ensure it is them trying to log in to an account, not a hacker. It's recommended that you should only do this if there's been a breach of some kind where passwords and data may have been compromised.

It also discouraged users from picking passwords early connected to them, for example their mother's maiden name.

So, do you plan on changing your password now? Let us know your thoughts down below in the comments section!

D'autres rapports CampDesrEcrues

Discuter de cet article

SUIVRE NOTRE JOURNAL