How some of the world's most brilliant computer scientists got password policies so wrong

submited by
Style Pass
2024-11-21 07:00:05

The US government’s latest recommendations acknowledge that password composition and reset rules are not just annoying, but counterproductive.

The story of why password rules were recommended and enforced without scientific evidence since their invention in 1979 is a story of brilliant people, at the very top of their field, whose well-intentioned recommendations led to decades of ignorance. These mistakes are worth studying, in part, because the people making them were so damn brilliant and the consequences were so long lasting.

The scientists in this case were Robert Morris and Ken Thompson. Thompson is credited as being a co-inventor of Unix and Morris is credited as a contributor. Morris left Bell Labs in 1986 to go onto a much-less visible career at the National Security Agency. Thompson created the predecessor to the C language, won Computer Science’s highest prize – the Turing Award – in 1983, and later went to Google where he co-invented the Go Language.1

Forty-five years ago this month (November, 1979), Morris and Thompson published the definitive paper on passwords: Password Security: A Case History. In their paper, they reported on a natural experiment in which they examined 3,289 real-world2 user passwords. They discovered that 2,339 (71%) were either six or fewer characters of the same type (lower-case, upper-case, or digits) or 3 characters of mixed types. They found an additional 492 of the remainder (15% of all the passwords) were available in “dictionaries, name lists, and the like.”

Leave a Comment