Why Simple Character Substitution for Passwords is Now a Pile of 5h1t

It seems that the advice of Bill Burr, the man who literally wrote the book on passwords management in 2003 ‘NIST Special Publication 800-63. Appendix A’, was wrong and he’s done a 180° u-turn in a newly released report.

Released at the end of June 2017, National Institute of Standards report ‘NIST Special Publication 800-63B – Digital Identity Guidelines – Authentication and Lifecycle Management‘, suggests that numeric and punctuation simple character replacements in passwords is very weak and no longer effective.

In the report he advised people to invent new passwords from proper words, replacing certain characters with capital letters, numbers, punctuation and to change them regularly.

It would seem that with today’s computer power, what with bot-nets being everywhere, those types of passwords are very easy to crack (think a couple of days).

So if you have any passwords that use this technique – like changing an E for 3 or S for 5, you should be changing them today.  Right now in fact.

Also new research has found that people who are forced to change their password regularly seem to stick with the same overall password only making minor tweaks such as Pa55word!1 to Pa55word!2.  Again these types of passwords changes are easy to detect using the sophistication of today’s password guessing scripts.

The new report, which isn’t an easy ready, suggests moving away from passwords in favour of pass phrases (random characters ‘b9G#Z4YVemTN^X6S’ and random multi-words ‘correcthorsebatterystaple‘) and embracing the use of two-factor authentication (2FA).

If you have a Wall Street Journal subscription you can read more about the u-turn from the interview they did with Bill Burr (paywall).

Are your WordPress Passwords and Sites secure?

Take a look at our WordPress Security Best Practices presentation for more security tips.

Got Too Many Passwords?

If you find it hard remembering all the login details for the many sites you maintain and access then consider using a password manager such as LastPass with a 14-day free premium trial.

 

Was this article helpful?
YesNo