The 'rules' for password security were invented by Bill Burr from NIST in 2003, though he relied on a 1980's research, where online security was very different.

Multiple news articles where the author of password complexity rules recants, saying "(my) previous advice of creating passwords with special characters, mixed-case letters and numbers won't deter hackers" he told The Wall Street Journal. “Much of what I did I now regret,” he said on password complexity rules.

The interview resulted in a very large number of news articles around the world. It was big news, but sadly, despite this press, and updated guidelines, it still hasn't been fixed in many systems to comply with the updated guidelines.

https://eu.usatoday.com/story/news/nation-now/2017/08/09/password-expert-says-he-wrong-numbers-capital-letters-and-symbols-useless/552013001/

https://eu.usatoday.com/story/news/nation-now/2017/08/09/password-expert-says-he-wrong-numbers-capital-letters-and-symbols-useless/552013001/

https://www.engadget.com/2017-08-08-nist-new-password-guidelines.html

https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118

https://www.bbc.co.uk/news/technology-40875534

https://gizmodo.com/the-guy-who-invented-those-annoying-password-rules-now-1797643987

https://www.thetimes.co.uk/article/security-guru-bill-burr-apologises-for-invalid-password-tips-d0k5gxrpx

https://www.independent.co.uk/life-style/gadgets-and-tech/news/passwords-remember-letters-security-privacy-how-forget-bill-burr-us-national-institute-standards-and-technology-a7883741.html

The advice about frequently changing a password has been criticized since the report. A 2010 study by the University of North Carolina at Chapel Hill showed that updating passwords often can actually help hackers identify a pattern. Another study from Carleton University said frequent changes are more inconvenient than helpful.


Other credible research articles supporting this include
http://www.cs.umd.edu/~jkatz/security/downloads/StrongPasswordsDoNothing.pdf

http://cups.cs.cmu.edu/passwords.html

http://www.andrew.cmu.edu/user/nicolasc/publications/Tan-CCS20.pdf

https://arstechnica.com/information-technology/2013/06/password-complexity-rules-more-annoying-less-effective-than-length-ones/

http://www.post-gazette.com/stories/business/news/study-password-length-more-beneficial-than-complexity-651054/

This USA department is part of the Department for Commerce., and includes a significant Computer Security department. They have published a very lengthy, highly detailed, well researched publication, with input from multiple authors and stakeholders, covering Digital Identity Guidelines. One may say it's a pretty good resource and certainly government requirements and guidance on various aspects of password management.

They specifically cover password complexity requirements here: https://pages.nist.gov/800-63-3/sp800-63b.html#a3-complexity

5.1.1.2 Memorized Secret Verifiers

Verifiers SHALL require subscriber-chosen memorized secrets to be at least 8 characters in length.

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

And for Knowledge based verification, it is NOT approved for password resets, and says for example:

KBV cannot be used to satisfy verification requirements

i. The CSP SHALL NOT use KBV questions for which the answers do not change (e.g., "What was your first car?").

Experienced security leaders in private industry are of course supportive of the NIST guidance.

https://www.linkedin.com/pulse/password-sanity-thank-you-nist-philip-cox

Incredible that so many companies and government departments are continuing to retain extremely outdated security policies that not just make life online harder, but according to the evidence and NIST government guidelines, these old policies actually significantly reduce online security. However, it takes a brave IT manager to implement the new improved security policies. Why? Because it 'Feels' less secure. It's not what so many other companies and departments are doing. Who dares removing that decades old, comforting feeling of high security that comes from password complexity rules that are so complex, you struggle to remember your own passwords. Which is kinda the point. This is exactly why these rules REDUCE password security, and increase vulnerability in organisations that are afraid to change with the times. We rush to implement new security patches, yet we are reluctant to rush new security policies that depart so much from what 'we are used to'.

People... let's BE BRAVE. Follow the damn government guidelines, and stop being precious and uncertain. Doing so will:

• Reduce your organisations significant support effort to manage user password resets

• Reduce user friction and speed interactions with your site, plus make users happier

• Reduce sign up failures do to 'Too hard to sign up due to failing password complexity' (Yes, it's a thing)

• Increase security in access to your systems

• Reduce your legal liability. If any major compromise occurred due to passwords being written down etc, users would have recourse in court now, to show that your failures in adopting the current password standards as advised by government, for many years now, was a significant factor in the problem which occurred. This may result in adverse publicity costing far more in loss of consumer confidence, than the impact of having to compensate a user for actions that resulted from password misuse.

• Show your organisation as a leader, unafraid to do the right thing, and not being asleep at the wheel, or afraid of adopting things that may be seen as 'reducing security' for those who have not done the extensive research.
  
  Password complexity with enforced complex password symbols, periodic forced password changes and knowledge based verification are all the WRONG way, and the INSECURE way. Actively promote password managers, and the use of multi word phrases that are easy to remember, but very hard to guess.

Because Entropy and also Human behaviour are curious things!

The USA Federal Trade Commission reports on Forced Password Changes.

Basically Saying DON'T!
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

And

https://arstechnica.com/information-technology/2016/08/frequent-password-changes-are-the-enemy-of-security-ftc-technologist-says/

The Director General for Cyber Security, Government Communications Headquarters (GCHQ ) states this official advice on password complexity and expiry:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

Password Complexity

Password guidance - including previous CESG guidance - has encouraged system owners to adopt the approach that complex passwords are ‘stronger’. The abundance of sites and services that require passwords means users have to follow an impossible set of password rules in order to ‘stay secure’. Worse still, the rules - even if followed - don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.

“By simplifying your organisation’s approach to passwords, you can reduce the workload on users, lessen the support burden on IT departments, and combat the false sense of security that unnecessarily complex passwords can encourage.”

Forced Password Changes

Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.

Changing passwords Most administrators will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user (who is likely to choose new passwords that are only minor variations of the old) and carries no real benefits as stolen passwords are generally exploited immediately.

Password Strength Meters.

Password strength meters aim to help users assess the strength of their self-generated passwords. They may steer users away from the weakest passwords, but often fail to account for the factors that can make passwords weak (such as using personal information)

Be aware of the limitations of password strength meters.

Password Managers

Password management software can help users by generating, storing and even inputting passwords when required. (Why don't we regularly encourage this in systems!)

UK National Cyber Security Centre

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

Password Complexity

Do not use complexity requirements. Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks. It places an extra burden on users, many of whom will use predictable patterns (such as replacing the letter ‘o’ with a zero) to meet the required 'complexity' criteria. Attackers are familiar with these strategies and use this knowledge to optimise their attacks. Additionally, complexity requirements provide no defence against common attack types such as social engineering or insecure storage of passwords.

For the above reasons, the NCSC do not recommend the use of complexity requirements when implementing user generated passwords.

Password Expiry

Don't enforce regular password expiry. Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

Forcing password expiry carries no real benefits because the user is likely to choose new passwords that are only minor variations of the old

Also note: Interesting to see Freedom of Information requests on password rules being denied

www.whatdotheyknow.com/request/rationale_for_password_limitatio

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/#whatrequirementsshould

Special characters: You should allow the use of special characters, but don’t mandate it.

What should we do about password expirations and resets?

You should only set password expirations if they are absolutely necessary for your particular circumstances. Regular expiry often causes people to change a single strong password for a series of weak passwords.

As a general rule, get your users to create a strong initial password and only change them if there are pressing reasons, such as a breach of your systems

https://docs.microsoft.com/en-au/archive/blogs/secguide/security-baseline-final-for-windows-10-v1903-and-windows-server-v1903

https://arstechnica.com/information-technology/2019/06/microsoft-says-mandatory-password-changing-is-ancient-and-obsolete/

In a security update, Microsoft removed password expiry, stating official advice that:

There’s no question that the state of password security is problematic and has been for a long time. When humans pick their own passwords, too often they are easy to guess or predict. When humans are assigned or forced to create passwords that are hard to remember, too often they’ll write them down where others can see them.

When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords. When passwords or their corresponding hashes are stolen, it can be difficult at best to detect or restrict their unauthorized use.

Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value.
--------------------------------------------------------
https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf

Which states:

• Eliminate character-composition requirements.

• 3. Eliminate mandatory periodic password resets for user accounts.

--------------------------------------------------------

Other academic research supports this:
http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf

Australian Securities and Investments Commission (ASIC)

https://regulatoryportal.asic.gov.au/password-management/

Provides security advice on passwords which significantly conflicts with advice from many other sources, suggesting the (old/debunked by research) advice of:

• Uses a combination of lowercase and uppercase letters, numbers, and special characters

• Changing your password periodically is a good way to protect your online account. As a guide you should change your password between 1 and 4 times a year.

This ASIC site also states: For more information on creating and managing password and online safety, please visit the Australian Governments Stay Smart Online website. Except this site link is old, and doesn't take you to the correct content anymore.

Queensland Government (Australia)

The QLD Tender site has archaic password complexity rules that are so obtuse, even the instructions on password complexity don't cover all the rules. Having the same character three times within the password - perhaps not consecutively, is this outside the guidelines?

Sadly the QLD Government Tender site is not adopting best practice security guidelines. This is one example of many thousands of course, but the screenshot shows a problem we are all too familiar with. The fear in what may seem as watering down security is actually following extensively researched guidelines.

Australian Cyber Security Centre

https://www.cyber.gov.au/acsc/view-all-content/guidance/authentication-hardening

https://www.cyber.gov.au/sites/default/files/2019-04/Australian%20Government%20Information%20Security%20Manual%20(APR19)_0.pdf

Sadly, this respected body has not updated their archaic password policies following the research, and the advice from their Five Eyes colleagues in UK and USA, the advice from Microsoft and other security researchers. They are STILL providing the old advice, which was introduced when NIST released their guidance, since retracted by the author with a sorry!

They state that:

Passwords/passphrases are changed if they have not been changed in the past 12 months.

Passwords should be a: Minimum of 15 alphabetic characters; or a minimum of 11 characters consisting of at least three of the following character sets: lowercase alphabetic characters (a-z), uppercase alphabetic characters (A-Z), numeric characters (0-9), special characters.

---------------------------------------------------

https://www.cyber.gov.au/acsc/view-all-content/publications/creating-strong-passphrases

They do promote passphrases,

Passwords are passé - passphrases are longer and stronger
Passwords are passé. It’s time to use passphrases instead.

Sadly though, despite correctly referring to passwords as passé they then still refer to using complex symbols , which is not the point of passphrases. It's as if someone left the old material in when they transitioned to advising from using complex passwords (with symbols), to passphrases (that replace symbols with length, and aid memorability).

They write:
Complexity is defined as using a combination of different character sets: capital letters, lowercase letters, numbers and special characters. Combining character sets can make a passphrase more difficult to guess and increases the time it takes to be cracked. For example, ‘red House #sky train’, ‘Sleep free hard idea!’ or ‘crystal onion clay @Pretzel‘.

---------------------------------------------------

https://www.cyber.gov.au/acsc/view-all-content/news/get-smarter-passwords

Even their own site has bad links. Try to look up this link, then click the link under heading 'As an Individual... Use strong passwords. You will find the link goes to a weird page.

Ok, so there are likely to be many, many thousands of sites who are still promoting the insecure password policy. Making user lives harder, adding to organisational support costs, and most critically, making security worse.

We can all help. Send messages. Alert. Complain. Ask why are these old policies still in place. Please UPDATE them to reflect the modern security best practice, borne of research.

Seems Australian government WAS recommending the correct best practice in online security.

If we check the good ole Wayback machine, we see what the Australian government was advising back in 2017.

https://web.archive.org/web/20171016150652/https://www.staysmartonline.gov.au/protect-yourself/doing-things-safely/passwords-passphrases

Do not include Arbitrarily mixed letters, numbers and symbols in your passwords. It is also better not to change your passwords frequently, for example each month, as it leads to poor passwords being created.

The above advice is directly the text from the Stay Safe Online Government website.

If we try to go to this resource now, we are redirected to:

https://www.cyber.gov.au/acsc/view-all-content/advice/protecting-accounts

Which is utterly useless, yet is referenced in other areas, such as

https://www.cyber.gov.au/acsc/view-all-content/news/get-smarter-passwords

Re What to do as an individual re passwords - is also redirected to this utter nonsense page, as is others like https://www.cyber.gov.au/acsc/view-all-content/guidance/top-10-questions-parents-have-about-online-security


Wake up Australia!

Australian Government's Cyber Security Centre changed from issuing correct password advice in 2017, to now issuing advice which conflicts with Microsoft, and USA & UK governments. The government changed their advice despite the author of the original password complexity confirming it's nonsense, and to not follow it.

I call on the Australian Government to:

1. Fix it's Cyber security website, and make it easy for anyone to find out the correct advice on secure passwords, passphrases, & password expiry.

2. Realise it's password advice is woefully out of touch with modern research, it's five eyes colleagues USA & UK. CORRECT the advice on password security. DO NOT force complex symbols or upper/lower case in passwords. DO NOT force password expiry.

3. Send a updated media release on password advice. Millions of us struggle with passwords every day. This would be a breath of fresh air to us all who interact online (i.e. everyone). Your poor advice, and poorly accessible advice on passwords ... is most unfortunate. For a Cyber advice department, you may be forgiven for thinking this is the one area that you can't possible get wrong. And it WAS perfectly correct back in 2017, oddly before the great password awakening!


10/5/2021 Small update. The ASD has acknowledged at least ONE error in their security advice, and have advised me they will get their web team to correct it. However, this is just fixing the link to passphrases, and doesn't correct the more important issue of the ADVICE re special characters and password expiry. Their current advice here conflicts with A) Their advice from 2017, and B) The rest of the world - Microsoft, UK and USA governments, and B) Their passphrase advice begins to say passwords are passe (good) but then carries on to say special symbols are needed to add complexity, which is wrong as the passphrase adds complexity in LENGTH, not special symbols.

So chalk up one SMALL win so far in the fight... but we have a way to go yet!

As a major global platform with billions of users, we expect Facebook to be up with modern best practices in online security. Facebook USED to require complex symbols, numbers and upper/lower case letters in passwords. However, they have removed this, and also promoted password help advice that passwords should be easy for you to remember.

However, in the great global password complexity fiasco, many IT professionals in the world are still promoting that Facebook requires complex symbols, numbers and upper/lower case.

This is poppycock, and has been for years now. Please help others discover that simpler passwords are more secure. Long, but simple and easy to remember. There is a reason major government cyber security advice is promoting that complex passwords are insecure. Because HUMANS are insecure, and hacking is not the main threat (provided the password is long). Besides, research shows that forced password characters actually HELP hackers, as their use by humans is so predictable. Who knew!

Facebook also updated their policy to not worry about passwords being reused, or too similar to previous passwords. They also reduced the minimum number of required characters to six. Because password memorability is far more secure than password complexity. As research evidence shows.

Don't believe me? Change your Facebook password to a1a1a1. It works! Now change it back. It works! Note: It's correctly not preventing password reuse (despite many thinking this aids security). By way of example, Uber DOES prevent password reuse, which with a glitch in their system, caused me to face more than half a dozen password resets, and I was forced to devise a new password each time. Reuse of passwords should be permitted. Only suspected breach should cause the user to initiate a change, and not be forced... as government cyber advice encourages.

Interestingly, Facebook also accepts passwords typed with Caps lock on. So if you enter A1A1A1 as your password, it also works, as does A1a1a1 being first cap only. Other combos are not supported. Because password simplicity and ease of use is more secure than password complexity.

Google correctly has a focus on password simplicity and memorability. It specifically does NOT require the use of special characters, numbers or upper / lower case. However, these are of course permitted if desired, just not encouraged or enforced.

Google does require 12 characters which is more than many, but with the world moving to passphrases, this is not terrible... though I suspect not necessary, and is more than government cyber advice. Google also prevents password reuse which is unfortunate and not in line with government cyber advice. Passwords should never expire, and should only be changed by users on suspected compromise.

Blocking password reuse causes new security issues, such as a user who wants to give account access to someone very temporarily, then change their password back. Except they can't. So maybe now they give their real password and not change it, to a partner who then becomes an ex partner. Besides, blocking reuse might be fair if a password was 'properly used', but in many cases a user may want to temporarily change a password within a single day, or when there are IT problems.

Maybe their borrowed keyboard has a broken key and they can't type % without copy paste, and are annoyed having to keep logging in, so temporarily change their password till the keyboard is fixed. Who knows, there are many scenarios, but forcing users to never reuse passwords, even when they are 100% sure there has been no compromise, is just friction, adds to password support calls, writing passwords down, or new passwords changing from password 123 to password1234 or something. Simple (but long) is secure.

When in 2017, a major story broke about password complexity, the respected USA Today newspaper cited university level research from UNCP that confirmed what was found elsewhere about forced password complexity and password expiry (Forced changes)

A copy of the research paper cited by the newspapers is found on the University server

https://www.cs.unc.edu/~fabian/papers/PasswordExpire.pdf

Except that the university itself has not adopted their own research (dated 2010), or the USA Government's Cyber security guidelines, they have in the last decade made it even more restrictive and completely the opposite of the best practice in online security.

https://www.uncp.edu/resources/division-information-technology/help-desk/passwords

Passwords are set to expire every 90 days, can't be reused, must contain characters from three groups of the following four...but while special symbols are forced, they are NOT PERMITTED to be used as letter substitutions (e.g. o = 0 or 3 = E), and can't be more than two consecutive letters from the name or user name (e.g. Hoped is not permitted if your name was cooper...)

Goodness, talk about onerous and time wasting, but also less secure. Do you know anyone in charge at this university? Please help them discover the folly of their current advice, and help encourage them to improve their online security by simplifying passwords, in line with the USA Governments very clear advice.

Additionally, MelbourneIT's password complexity rules are even worse than usual, marking only SOME standard special punctuation characters like brackets and hyphens as banned!!

https://support.melbourneit.com.au/s/article/Reset-Your-Email-Password

Enter the new password. Passwords must contain one each of the following: Upper and Lowercase letters; Numbers and Special characters. Please do not use the open or close bracket characters - ( or ).