A view from Dave Trott: Meat vs metal
A view from Dave Trott

Meat vs metal

There’s no doubt, the future is technology.

Technology doesn’t make mistakes like us all-too-fallible humans do.

For instance, take the passwords necessary to access our computers.

Humans would pick passwords that were too easy to crack, right?

But thanks to technological guidelines, passwords are now virtually uncrackable.

Well, not exactly.

The man who defined the original rules for password safety now says he got it all wrong.

That, actually, all he did was make passwords easier to crack.

In 2003, Bill Burr was a manager at the National Institute of Standards and Technology. 

He issued an eight-page document: "NIST Special Publication 800-63 Appendix A".

It was subtitled ‘Estimating Password Entropy and Strength’.

It’s the advice we’ve all become familiar with as the rules for creating passwords.

  1. A password should include at least one capital letter.
  2. A password should include at least one symbol.
  3. A password should include at least one number.
  4. A password should be changed every 90 days.

His advice was adopted by most academic institutions, government bodies and large corporations.

Our password strength is automatically judged against these guidelines.

But Bill Burr now says these were totally wrong.

Because not only did these rules make passwords difficult for humans to remember.

These rules actually made passwords easier for algorithms to crack.

The Wall Street Journal had its computer security specialists check this out.

They found that a word substituting symbols and numbers (such as: Tr0ub4dor&3) would take an algorithm three days to crack.

But a random selection of easily memorable words (such as: correcthorsebatterystaple) would take an algorithm 500 years to crack.

Even though it’s all written in simple, ordinary, lower-case letters.

Burr’s advice appeared correct because it made passwords difficult for humans to crack.

But it’s easy to write a program that substitutes the character & for "and" or 4 for "for" or 0 for o, or $ for s, or any number of similar combinations. 

The algorithm simply runs through the alternatives.

But give it random words, without logic, and it is stumped.

Although the words are much easier for humans to remember.

What Burr had done was decide on passwords that seemed difficult for humans but were actually easy for machines.

The truth is the other way round, passwords that are easy for humans are much more difficult for machines.

This is the flaw with the human mind.

We are seduced by whatever is new and complex.

If a thing seems difficult, we think it must be intelligent.

What Burr hadn’t allowed for was that humans wouldn’t be cracking the passwords, machines would.

And machines can do mundane tasks many, many times faster than humans.

But what they can’t do is anything unpredictable, or random, or creative.

Simply because they lack intuition.

They are incapable of creative thought, because they are machines.

Machines are very good at what machines do, but not very good at what humans do.

Dave Trott is the author of Creative Mischief, Predatory Thinking and One Plus One Equals Three