
Bill Burr regrets 2003 password recommendation report - cratermoon
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118?mod=e2tw
======
iokevins
The article seems arising in reference to the NIST SP800-63-3 Digital Identity
Guidelines, published June 22, 2017:

[https://pages.nist.gov/800-63-3/](https://pages.nist.gov/800-63-3/)

Three highlights of NIST SP800-63-3, from the SANS Security Awareness blog:

"For years people like Per Thorsheim, Cormac Herley and Dr. Angela Sasse have
fought against this. Finally these painful behaviors are being put to rest by
NIST in their official publication SP800-63-3 Digital Identity Guidelines.
While a rather large series of documents, they have a couple key points about
passwords, specifically in sections 5.1.1.1, 5.1.1.2 and Appendix A. Long
story short.

* Entropy is dead, focus on password length. Stop inflicting complexity requirements, instead long live the passphrase.

* Only change passwords if you are concerned it may have been compromised.

* SP800-63-3 specifically states systems should support the use of password managers."

[https://securingthehuman.sans.org/blog/2017/07/27/nist-
has-s...](https://securingthehuman.sans.org/blog/2017/07/27/nist-has-spoken-
death-to-entropy-love-live-the-passphrase)

~~~
SAI_Peregrinus
Entropy isn't dead, but entropy estimation should be. It's the same thing as
the transition from Yarrow to Fortuna in CSPRNGs: it's futile to estimate
entropy.

------
cityzen
When I read the title I was wondering why a comedian would give out password
recommendations. Different Bill Burr...

------
q3nismypassword
[https://archive.fo/A613V](https://archive.fo/A613V)

------
SomeStupidPoint
I just hope the various other bodies adopt the new rules quickly so I can stop
having absurd policies at work.

But I somehow think it's going to be a battle to get new "best practices"
adopted, even if they're better, people regret the original, etc etc.

------
keeganjw
Can anyone give me the gist of this article? Paywall...

~~~
justusthane
[http://archive.is/EoUOS](http://archive.is/EoUOS)

~~~
keeganjw
Thanks

