Creator of the standard for ‘strong passwords’ changes his mind; understand

Creator of the standard for 'strong passwords' changes his mind;  understand

Bill Burr, former manager of NIST, the North American body equivalent to Inmetro, says today that he regretted the standards for secure passwords developed by him in 2003. The technical text is very detailed, but it can be summarized in a series of what understood it as good practices for the creation of passwords, which ended up becoming the norm when it came to recommending the creation of secure passwords: use of combinations between letters, numbers, special characters and alternation between upper and lower case. In an interview with the Wall Street Journal, Bill admits that, at the time, he had no control over the subject and regretted the document.

The problem with Bill’s recommendations is not that they necessarily result in weak passwords. The point is that the tips end up too succinct and miss important recommendations, such as the importance of creating long passwords and the idea that the password security factor grows with the number of characters used.

1 of 1 Secure passwords should be as long as possible to make discovery difficult – Photo: Reproduction / Opera

Secure passwords should be as long as possible to make discovery difficult – Photo: Reproduction / Opera

Finding a password is a mathematical problem. The correct combination of characters can be revealed by a computer that has enough time to test all possibilities including letters and numbers.

That is why a short, four-character password, even if it consists of special symbols, letters and numbers, can be discovered by a computer in a matter of a few days. On the other hand, a simple sentence, or a few words joined together in the form of a password, can take centuries of combinations to be discovered completely by the same computer – making it more complicated.

The new NIST guidelines with standards and recommendations for creating secure passwords already consider this new reality, reversing the previous model developed by Bill Burr, in 2003. The agency mentions the importance of using long passwords, forming phrases, instead of m1stur @s with special caract3r3 $ that you got used to.

Some websites and social networks, however, do not allow the use of such long passwords. The expectation is that this will change so that users can adapt their codes to the new orientation and increase the total number of characters.