Identity & Access Management

3214 - Password Whiplash

Wednesday, October 10
9:45 AM - 10:45 AM
Location: Floor 2: Galerie 2

On Aug. 7, 2017, the Wall Street Journal published “The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1^d!”

Robert McMillan interviewed Bill Burr, who stated that the guidance in that 2004 NIST publication was ill advised. Burr coauthored NIST Special Publication 800-63B Digital Identity Guidelines—Authentication and Lifecycle Management, published June 2017. The new publication ripped out much of the earlier guidance. People who have been responsible for establishing password policy in organizations, particularily those who were enforcing more extreme rules, are likely to get a mental whiplash as they attempt to understand and adopt the new guidance.

A panel will discuss why the old guidance was not working, describe the new guidance and recommend ways to adopt the new guidance.


Learning Objectives:

Hoyt Kesterson, CISSP, CISA, QSA

Senior Security Architect
Terra Verde

Hoyt L. Kesterson II is a senior security architect with Terra Verde. He has more than 40 years of experience in information security. For 21 years he chaired the international standards group that created the X.509 public-key certificate. He is a co-chair and founding member of the ABA’s Information Security Committee. He is a testifying expert. He is a PCI QSA who helps clients meet compliance requirements for authentication and encryption. He programed his first userid and account authentication process for a communications front-end in the early '70s. He’s presented at the RSA Security Conference more than 25 times. He presented "Everything We’re Doing with Passwords Is Wrong" at the 2013 RSA Conference. The video can be found on the RSA Conference site and on YouTube.


Send Email for Hoyt Kesterson

William E. Burr


Bill Burr worked at NIST for 32 years, where he chaired the Federal PKI Technical Working Group in the 1990s and managed the NIST cryptography group from 2000 through 2010. During this period, the group published the widely used AES encryption and SHA-2 hash function standards and began the SHA-3 hash standard selection. He wrote much of an influential publication, NIST SP 800-63, Electronic Authentication Guideline, including an appendix on passwords, which regrettably gave some guidance that is partly to blame for much user frustration. After retiring in 2011, Bill worked as a consultant on the SHA-3 competition and on the revised SP 800-63-3, Digital Identity Guidelines, which, he thinks, gives much better password guidance.


Send Email for William Burr

Ralph Spencer Poore, CISSP, CISA, CFE, CHS-III, PCIP

Director, Emerging Standard
PCI Security Standards Council

Ralph Spencer Poore has over 35 years of information security experience, including more than 20 years of applied cryptography. He has written extensively on information security and cryptography. His work is cited in academic papers, national standards, professional journals, and books. In various capacities, he has designed and led teams of developers in cryptographic system projects, resulting in patents of systems based on cryptography. He has extensive experience in financial services industry and in the development national and international standards. He is the Vice Chair of ANSI X9F1. He is an ISSA Distinguish Fellow and has received numerous awards for his professional work. He holds the PCIP, CFE, CISA, CISSP, and CHS-III certifications.


Send Email for Ralph Poore


3214 - Password Whiplash



Presentation Slides




Attendees who have favorited this

Please enter your access key

The asset you are trying to access is locked. Please enter your access key to unlock.

Send Email for Password Whiplash