Password Praise in the Future Tense

Apropos the previous post, I am coming to the conclusion that University's are very strange places when it comes to password policies. Mind you, it shouldn't really come to much of a surprise - the choice of technologies adopted are often so mind-bogglingly strange one is tempted to conclude that the decisions are more political than technical. Of course, that would never happen in the commercial world. All this aside, consider the password policy of a certain Victorian university.

The University's requirements for staff passwords have recently changed. Passwords must conform to the following rules:

Passwords cannot contain the user's account name or parts of the user's full name that exceed two consecutive characters.
Must be at least 8 characters in length
Must contain three of the following character types:
An upper case character
A lower case character
A number
A special character (e.g. %,#,@)
Must not be a dictionary word
Must not be one of the last 10 passwords that you have used

Going forward, staff passwords will need to be changed every four months. If you attempt to login 5 times unsuccessfully, your account will be locked for 15 minutes.

This change in password policy was made in accordance with Victorian Auditor General's recommendations to the University. This change was approved by the University's Administrative and Business Advisory Group (ABAG).

"Going forward" is of course, corporate code for "we're not going to discuss this". Talk to the hand, as they say. Which is possibly just as well, because the policy is actually a security risk in its own right. On the positive side, the policy doesn't have a character maximum, ensuring a higher level of entropy. On the negative, the policy's requirement for special characters are well-acknowledged can result in less security through additional human complexity (even if the US FTC still seems to think it's a good idea).

But the very weird policy is Must not be one of the last 10 passwords that you have used. At first glance this seems reasonable. After all, all single-factor authentication passwords can be eventually hacked given enough time, and regular changes reduce that vector. But in the real world, such longevity policies are deeply unpopular. There is an increased risk that users will adopt simpler passwords and simply recycle the numerical quantity; password01, password02, password03 ... password10, to use the above example - as a result the FTC's chief technologist is rethinking the longevity policies (her work is worth reading). Besides, some very clever people have discovered ways to get past annoying administrative roadblocks.

Longevity isn't wrong as such, but rather it needs to be considered in terms of the complexity of the system that it is being protected. The greater the security requirements and turnover of the usage, the greater care that is required. To deal with the human element, entropy is better than complexity. Passphrases are correctly considered a popular choice over passwords - and the longer the better.


The man in question is Bill Burr, a former manager at the US National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the "NIST Special Publication 800-63. Appendix A". This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers — those are all because of Bill.

The only problem is that Bill Burr didn't really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn't a security expert. And now the retired 72-year-old bureaucrat wants to apologise.

"Much of what I did I now regret," Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. "In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."