So it’s all been a big mistake (off-topic)

My 6-month-old iPhone is on the fritz.

That means a trip to the Genius Bar, which I can’t do without first making an appointment with the Genius Bar, which naturally I can’t do by simply ringing someone up on the telephone and asking them to book me in, but instead requires my jumping through multiple hoops on the Apple website and culminates in a quest to identify my latest iTune/iCloud/Apple password and enter it exactly right lest Apple make me change it yet again

I’ve now lived through so many protracted “You’ve been locked out” episodes with Apple that I maintain a complete history of my password transactions with the company, which I consult each time trouble rears its head, hoping not to fall into the same trap(s) again. In short, I run a case ticket on myselfThat’s how bad it is.

A typical entry:

10/19/2016 [worked on 1/15/2017, too] Apple is requiring a whole long security thing for its latest update on iPhone: password (not sure they called it that) is Xxxxxxxx  (use cap on Xxxxxx) | 4-digit Security Code for “card on file with Apple or iTunes store” is xxxx (because it’s for my Amex card, not for iCloud Keychain, apparently)

Every word of that narrative makes sense to me, in case you’re wondering.

Turns out it’s all been a big mistake:

Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of “NIST Special Publication 800-63. Appendix A.” The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly.

The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay.

Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement.

“Much of what I did I now regret,” said Mr. Burr, 72 years old, who is now retired.


In a widely circulated piece, cartoonist Randall Munroe calculated it would take 550 years to crack the password “correct horse battery staple,” all written as one word. The password Tr0ub4dor&3— a typical example of password using Mr. Burr’s old rules—could be cracked in three days, according to Mr. Munroe’s calculations, which have been verified by computer-security specialists.

Collectively, humans spend the equivalent of more than 1,300 years each day typing passwords, according to Cormac Herley, a principal researcher at Microsoft Corp. His company once followed the Burr code for passwords, but no more.

I’m wondering how long it will take Apple to get the message.

I’m also wondering about my employer.

I return to the classroom in 3 weeks, and as excited as I am to be back, I’m not looking forward to renewing acquaintance with the every-3-month password-change policy, accompanied as it used to be by a sequence of inscrutable steps for accomplishing the task.

As I recall, clicking on the tab that said “Change Password” did the exact opposite of changing your password.

4 thoughts on “So it’s all been a big mistake (off-topic)

  1. Yes, it turns out that something like “My youngest sons A and C are twins.” has 170 bits of entropy (I originally had a second clause to that sentence that gave it 340 bits of entropy, but it made it too hard to remember), while “correcthorsebatterystaple” has 93, and “Tr0ub4dor&3” has only 52. Which of these is easiest for you to remember?

    Liked by 1 person

  2. Add standard sentence punctuation and a capitalized proper name or two and you can have even greater entropy. And it’s easy to type.

    ‘A yard is 36″ long.’ including the capitalization and period, has 89.3 bits of entropy, which should be plenty for most uses. (Don’t use that password, but the idea is simple enough.) The fourth verse of a favorite song, a relatively obscure line from a play or movie, really anything long and moderately complex, is essentially unbreakable by most brute force tools.

    Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s