Password Proliferation Update

Posted On: Tuesday - December 15th 2020 7:32PM MST
In Topics: 
  Curmudgeonry  Artificial Stupidity  Big-Biz Stupidity

Before I get started, let me say that I appreciate all the good comments under that previous Peak Stupidity post on this topic. I am no expert on the "TECH" stuff, so there's stuff I can use in there. The best way to handle passwords probably depends on one's habits.

For those who asked/answered the question about remaining anonymous, one could write a whole book on that stuff. One could read that book, but "they" are going to know that, unless you buy said book with cash in the mail, ship it to a P.O. box that you used a fake ID to get while wearing a hat and many facial band-aids, and retrieve it the same way on your bicycle without bringing your phone ... OK, one can get too paranoid, but then, the exercise is good for you.

The reason for this update is weird. There are plenty of other posts to write, but as I got back onto my other device (been since before the weekend) I noted a that one browser tab still had the picture I'd used for the Password Proliferation post on Friday. Well, this picture comes from an article somewhere, as is usually the case, but I hadn't read it yet. I just grabbed the picture back then. The article itself, that I just clicked on for the picture, has everything to do with my post. That didn't have to be the case and usually isn't. I just like to have an image that fits to some extent.

This article, on the Consumer Affairs (not a government agency, they proudly state) website says Man who created modern password management rules says he was largely mistaken. That's the title, actually. It's a weird coincidence, I'd say, due to opinions being like assholes, that the writer Christopher Maynard tells us that password expert Bill Burr is backtracking on exactly what I was complaining about just days before.

If I'd read this article before the post, I could have used it as a back-up source to my purely opinionated post. I feel more vindicated this way, though. About this Bill Burr, cause experts are like assholes too, not only just in the same manner, as "everyone having one." Take Dr. Fauci, please... He just IS an asshole, and yeah, he's got one, of course. OK, about Bill Burr:
Bill Burr – the man who first came up with the notion of using passwords with new words, obscure characters, capital letters, and numbers – admits that the advice he gave in an 8-page primer on protecting accounts with certain types of passwords was largely incorrect, according to a Wall Street Journal report.

“Much of what I did I now regret,” said Burr of his past work. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Well, that doesn't make him out to be a very good expert, but I'm just trying to stay in order with the short article.
Burr’s theories for password management became popular back in 2003 when he released “NIST Special Publication 800-63 Appendix A” as a midlevel manager at the National Institute of Standards and Technology. The document was quickly seen as the go-to guide for creating strong passwords and was adopted by federal agencies, universities, companies, and consumers everywhere.
See there ya' go - THE GOVERNMENT even adopted his advice, so, ...
However, the author says that many of the recommendations in the document have proven to be largely incorrect. For example, Burr says that the recommendation of changing passwords every 90 days is impractical, and that many consumers only make one or two small changes that are easy to guess.
What the hell did I tell ya'? See. He's got me nailed. Why would I change the whole thing around, giving me no chance of every remembering the new one?
Additionally, he says that the old standby of having a password contain a letter, number, uppercase letter, and special character was largely unnecessary.
Is this a cipher issue or a general cryptography one. I could see special characters fooling the cipher types that work with letter frequencies, but then, is that useful for passwords, which are so short for this? As a general code-breaking issue, would a couple of # signs on either side of one's cat's name be any harder to break than other letters there? I don't know. I do OK with the special characters, but not when adding these per new rules makes me get out of my routine. (Should one have a routine? Probably not!)
To start with, they completely dropped the advice on changing passwords every 90 days and ousted the requirement of using special characters. Lead adviser Paul Grassi said that those rules “actually had a negative impact on usability.” He says that long, easy-to-remember passwords are the safest bet for consumers, and that passwords should only be changed if there is any sign that they have been compromised.
BINGO! I've seen that negative impact on usability myself and even wrote a blog post about it. Thank you, new NIST committee!
To Burr’s credit, Grassi says that he is probably being too critical of his advice from 2003, considering that he was under enormous pressure to publish guidance quickly and did not have much information to base his assertions on.

“He wrote a security document that held up for 10 to 15 years,” said Grassi. “I only hope to be able to have a document hold up that long.”
I hope not, myself. If you've got a document with lots of important security-related advise in it, and it's all freaking wrong, then I hope it DOESN'T last 10 to 15 years. Mr. Burr's document only held up for 10 to 15 years because he was held up as an EXPERT. I'm sure your predecessor appreciates your covering his ass in your new paper though, though, Mr. Grassi.

This is a big vindication on a small curmudgeonly subject, but, yeah, FUCKIN' A! I told you so, somebody ...

Wednesday - December 16th 2020 8:43PM MST
PS: Yes, Mr. Smith, you are right about just increasing the number of combinations. I'd also figure the easier way is to figure something out about the one logging in or just get a camera on him somehow.

CB, I'm the same way on that. If it's a website on which nobody can do anything for his own gain or really mess up my world much, I keep the PW something simple to match the website.
Tuesday - December 15th 2020 11:06PM MST
PS Caveat on my previous post -- I didn't use the joke passwords on anything where security was actually important. I wasn't terribly worried, for example,q that someone would submit expense reports in my name. I mean, it *could* happen, but if so, either they are accepted and I get free money, or they are rejected and I change my password. ;)
Adam Smith
Tuesday - December 15th 2020 9:23PM MST
PS: Good evening Mr. Cloudbuster, Mr. Moderator...

Password01, Password02, Password03, Luv it...

For awhile most of the passwords in America were password or 123456. Probably still are.(?)

"To Burr’s credit, Grassi says that he is probably being too critical of his advice from 2003, considering that he was under enormous pressure to publish guidance quickly and did not have much information to base his assertions on."

Maybe this is just a pet peeve of mine, but has anyone else noticed how the word guidance is suddenly being used differently this year. Maybe I just hadn't noticed before, but it seems like the word guidance has taken a sort of orwellian shift. I don't recall ever hearing or reading a phrase like "publish guidance" or "listen to the guidance" or "follow the guidance" until recently. Now it seems ubiquitous. Maybe it's corporate or bureaucratic newspeak that has recently made it's way into "the conversation".

"As a general code-breaking issue, would a couple of # signs on either side of one's cat's name be any harder to break than other letters there?"

If it were just the # signs it wouldn't much matter, as it would take your available "alphabet" from 62 to 63 characters. When you add all 32 non-alphanumeric characters (`~!@#$%^&*_-+={}[]|:;”',.?/) found on the keyboard to your available "alphabet" it increases the number of "combinations" that a password of a given length can be. When you are brute force cracking a password it takes more time and more attempts to do so when there are more characters in a password and more characters to choose from.

Brute force cracking takes time. It is usually much easier to find a target's login name and password with a keylogger.

Tuesday - December 15th 2020 8:36PM MST
PS: Ornery is good, Cloudbuster. Of course, nobody could possibly check that you'd make that most-obvious-as-possible PW, cause, well, security and shit. So, you couldn't get a memo back saying "hey, that's not what we mean. Try harder!"

Mine was not that simple, but then I've been adamant about not just buying a small notepad or keeping them on the back of a business card in my wallet.
Tuesday - December 15th 2020 8:21PM MST
PS At my past couple employers there were numerous internal and external passwords we were expected to track payroll system, expense report and travel system, sales tracking, corporate login, and so on. A few of them had obnoxious password requirements and required you to change your password every three months or so. Because I am ornery, with those I used to make a game of devising the most obvious, insecure password the system would accept. It was hilarious how many would let you get away with "Password01!" (and then increment the digit by one every time you are required to change it).
WHAT SAY YOU? : (PLEASE NOTE: You must type capital PS as the 1st TWO characters in your comment body - for spam avoidance - or the comment will be lost!)