Posted On: Tuesday - December 15th 2020 7:32PM MST
In Topics:   Curmudgeonry  Artificial Stupidity  Big-Biz Stupidity
Before I get started, let me say that I appreciate all the good comments under that previous Peak Stupidity post on this topic. I am no expert on the "TECH" stuff, so there's stuff I can use in there. The best way to handle passwords probably depends on one's habits.
For those who asked/answered the question about remaining anonymous, one could write a whole book on that stuff. One could read that book, but "they" are going to know that, unless you buy said book with cash in the mail, ship it to a P.O. box that you used a fake ID to get while wearing a hat and many facial band-aids, and retrieve it the same way on your bicycle without bringing your phone ... OK, one can get too paranoid, but then, the exercise is good for you.
The reason for this update is weird. There are plenty of other posts to write, but as I got back onto my other device (been since before the weekend) I noted a that one browser tab still had the picture I'd used for the Password Proliferation post on Friday. Well, this picture comes from an article somewhere, as is usually the case, but I hadn't read it yet. I just grabbed the picture back then. The article itself, that I just clicked on for the picture, has everything to do with my post. That didn't have to be the case and usually isn't. I just like to have an image that fits to some extent.
This article, on the Consumer Affairs (not a government agency, they proudly state) website says Man who created modern password management rules says he was largely mistaken. That's the title, actually. It's a weird coincidence, I'd say, due to opinions being like assholes, that the writer Christopher Maynard tells us that password expert Bill Burr is backtracking on exactly what I was complaining about just days before.
If I'd read this article before the post, I could have used it as a back-up source to my purely opinionated post. I feel more vindicated this way, though. About this Bill Burr, cause experts are like assholes too, not only just in the same manner, as "everyone having one." Take Dr. Fauci, please... He just IS an asshole, and yeah, he's got one, of course. OK, about Bill Burr:
Bill Burr – the man who first came up with the notion of using passwords with new words, obscure characters, capital letters, and numbers – admits that the advice he gave in an 8-page primer on protecting accounts with certain types of passwords was largely incorrect, according to a Wall Street Journal report.Well, that doesn't make him out to be a very good expert, but I'm just trying to stay in order with the short article.
“Much of what I did I now regret,” said Burr of his past work. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Burr’s theories for password management became popular back in 2003 when he released “NIST Special Publication 800-63 Appendix A” as a midlevel manager at the National Institute of Standards and Technology. The document was quickly seen as the go-to guide for creating strong passwords and was adopted by federal agencies, universities, companies, and consumers everywhere.See there ya' go - THE GOVERNMENT even adopted his advice, so, ...
However, the author says that many of the recommendations in the document have proven to be largely incorrect. For example, Burr says that the recommendation of changing passwords every 90 days is impractical, and that many consumers only make one or two small changes that are easy to guess.What the hell did I tell ya'? See. He's got me nailed. Why would I change the whole thing around, giving me no chance of every remembering the new one?
Additionally, he says that the old standby of having a password contain a letter, number, uppercase letter, and special character was largely unnecessary.Is this a cipher issue or a general cryptography one. I could see special characters fooling the cipher types that work with letter frequencies, but then, is that useful for passwords, which are so short for this? As a general code-breaking issue, would a couple of # signs on either side of one's cat's name be any harder to break than other letters there? I don't know. I do OK with the special characters, but not when adding these per new rules makes me get out of my routine. (Should one have a routine? Probably not!)
To start with, they completely dropped the advice on changing passwords every 90 days and ousted the requirement of using special characters. Lead adviser Paul Grassi said that those rules “actually had a negative impact on usability.” He says that long, easy-to-remember passwords are the safest bet for consumers, and that passwords should only be changed if there is any sign that they have been compromised.BINGO! I've seen that negative impact on usability myself and even wrote a blog post about it. Thank you, new NIST committee!
To Burr’s credit, Grassi says that he is probably being too critical of his advice from 2003, considering that he was under enormous pressure to publish guidance quickly and did not have much information to base his assertions on.I hope not, myself. If you've got a document with lots of important security-related advise in it, and it's all freaking wrong, then I hope it DOESN'T last 10 to 15 years. Mr. Burr's document only held up for 10 to 15 years because he was held up as an EXPERT. I'm sure your predecessor appreciates your covering his ass in your new paper though, though, Mr. Grassi.
“He wrote a security document that held up for 10 to 15 years,” said Grassi. “I only hope to be able to have a document hold up that long.”
This is a big vindication on a small curmudgeonly subject, but, yeah, FUCKIN' A! I told you so, somebody ...