Tech

Turns Out Replacing Letters With Numbers And #*&@$ Doesn’t Make Passwords Secure

[Shutterstock - iunewind]

Daily Caller News Foundation logo
Thomas Phippen Thomas Phippen is a senior editor at the Daily Caller News Foundation.
Font Size:

Much of the password wisdom of the past few decades doesn’t actually make passwords more secure, according to computer scientists and the man who first developed the guidelines.

Password guidance that the National Institute of Standards and Technology (NIST) released Tuesday scraps several familiar password policies, like the special character requirement and the password expiration advice.

“We ended up starting from scratch” on the new guidelines, Paul Grassi, lead author of the new guidance, told The Wall Street Journal.

The old guidelines, including the character limit, have “actually had a negative impact on usability,” Grassi said.

The past 15 years of conventional password wisdom, pushed by NIST, recommend that websites require users to create passwords including at least one numeral and a special character.

After many high-profile hacks in the government and private sector, however, clearly our password game is weak. The guidelines tech companies have used for security come from a 2003 paper written by Bill Burr, a former manager at NIST.

Burr’s paper suggested that, unless passwords were randomly generated numbers and characters, replacing letters with special characters and numbers would add a degree of randomness. The guidance said that passwords could be common or invented words, filled with odd characters and numbers, and changed frequently.

The problem is that users typically replace letters with numerals or characters that make sense — like replacing an E with a 3 — and computer programs have gotten really good at guessing the accurate password.

“It’s not really random if you and 10,000 other people are doing it,” Cormac Mr. Herley, a principal researcher at Microsoft, told the WSJ.

Burr’s guidelines held for some time as the go-to source for password best-practices, but following those guides doesn’t ensure account security, and passwords are difficult to remember.

“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr said.

When Burr wrote the password guidelines, he had hoped to rely on large amounts of real-world password data. He asked NIST to allow him to look at the actual passwords on its network, but the administrators refused for privacy reasons. “They were appalled I even asked,” Burr said.

Without access to password data, Burr relied on a 1980s white paper to write the password guidelines. “In the end, [the password guidance] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr said.

A series of normal words in an uncommon order is far more difficult for computers to guess, and is more memorable.

Internet cartoonist Randall Munroe illustrated this issue in a 2016 webcomic. Munroe calculated that a typical password under the old guidance, like “Tr0ub4dor&3,” would take a computer three days to guess. Four words in a strange order, like “correct horse battery staple,” written as one word, would take 550 years to guess, plus be easier to remember than were you to put a zero in the word.

NIST now recommends in new password guidance that users have the ability to type 64 character passwords, with a minimum of eight characters.

Follow Thomas Phippen on Twitter

Send tips to thomas@dailycallernewsfoundation.org.

All content created by the Daily Caller News Foundation, an independent and nonpartisan newswire service, is available without charge to any legitimate news publisher that can provide a large audience. All republished articles must include our logo, our reporter’s byline and their DCNF affiliation. For any questions about our guidelines or partnering with us, please contact licensing@dailycallernewsfoundation.org.

PREMIUM ARTICLE: Subscribe To Keep Reading

Sign up

By subscribing you agree to our Terms of Use

You're signed up!

Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!

Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!

Sign Up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!
Sign up

By subscribing you agree to our Terms of Use

You're signed up!
BENEFITS READERS PASS PATRIOTS FOUNDERS
Daily and Breaking Newsletters
Daily Caller Shows
Ad Free Experience
Exclusive Articles
Custom Newsletters
Editor Daily Rundown
Behind The Scenes Coverage
Award Winning Documentaries
Patriot War Room
Patriot Live Chat
Exclusive Events
Gold Membership Card
Tucker Mug

What does Founders Club include?

Tucker Mug and Membership Card
Founders

Readers,

Instead of sucking up to the political and corporate powers that dominate America, The Daily Caller is fighting for you — our readers. We humbly ask you to consider joining us in this fight.

Now that millions of readers are rejecting the increasingly biased and even corrupt corporate media and joining us daily, there are powerful forces lined up to stop us: the old guard of the news media hopes to marginalize us; the big corporate ad agencies want to deprive us of revenue and put us out of business; senators threaten to have our reporters arrested for asking simple questions; the big tech platforms want to limit our ability to communicate with you; and the political party establishments feel threatened by our independence.

We don't complain -- we can't stand complainers -- but we do call it how we see it. We have a fight on our hands, and it's intense. We need your help to smash through the big tech, big media and big government blockade.

We're the insurgent outsiders for a reason: our deep-dive investigations hold the powerful to account. Our original videos undermine their narratives on a daily basis. Even our insistence on having fun infuriates them -- because we won’t bend the knee to political correctness.

One reason we stand apart is because we are not afraid to say we love America. We love her with every fiber of our being, and we think she's worth saving from today’s craziness.

Help us save her.

A second reason we stand out is the sheer number of honest responsible reporters we have helped train. We have trained so many solid reporters that they now hold prominent positions at publications across the political spectrum. Hear a rare reasonable voice at a place like CNN? There’s a good chance they were trained at Daily Caller. Same goes for the numerous Daily Caller alumni dominating the news coverage at outlets such as Fox News, Newsmax, Daily Wire and many others.

Simply put, America needs solid reporters fighting to tell the truth or we will never have honest elections or a fair system. We are working tirelessly to make that happen and we are making a difference.

Since 2010, The Daily Caller has grown immensely. We're in the halls of Congress. We're in the Oval Office. And we're in up to 20 million homes every single month. That's 20 million Americans like you who are impossible to ignore.

We can overcome the forces lined up against all of us. This is an important mission but we can’t do it unless you — the everyday Americans forgotten by the establishment — have our back.

Please consider becoming a Daily Caller Patriot today, and help us keep doing work that holds politicians, corporations and other leaders accountable. Help us thumb our noses at political correctness. Help us train a new generation of news reporters who will actually tell the truth. And help us remind Americans everywhere that there are millions of us who remain clear-eyed about our country's greatness.

In return for membership, Daily Caller Patriots will be able to read The Daily Caller without any of the ads that we have long used to support our mission. We know the ads drive you crazy. They drive us crazy too. But we need revenue to keep the fight going. If you join us, we will cut out the ads for you and put every Lincoln-headed cent we earn into amplifying our voice, training even more solid reporters, and giving you the ad-free experience and lightning fast website you deserve.

Patriots will also be eligible for Patriots Only content, newsletters, chats and live events with our reporters and editors. It's simple: welcome us into your lives, and we'll welcome you into ours.

We can save America together.

Become a Daily Caller Patriot today.

Signature

Neil Patel