Man Who Suggested Complicated, Always Changing Passwords Now Has Regrets

Image courtesy of (Dev.Arka)

We all know that it’s not a great idea to use an easy-to-guess password such as “123456,” although plenty of people do that. Instead, we’re often told to use complicated strings of words, numbers, and special characters to protect our online personas, as they were thought to be more difficult to guess — and sometimes to remember. Now, though, the man who kicked off the involved password era says maybe he wasn’t right after all.

The Wall Street Journal reports that the man who wrote an eight-page primer on how to keep online accounts safe back in 2003 now believes that some of his advice on how to set passwords — which has been adopted by government agencies, corporations, and others — wasn’t entirely correct.

In fact, Bill Burr, who was working as a midlevel manager at the National Institute of Standards and Technology when he penned the advice, says he now regrets much of what he wrote.

That’s because, over time, he realized that some of the tips weren’t actually helpful, and might even cause more harm than good.

What Was Wrong?

For instance, Burr tells the WSJ that his advice to change passwords every 90 days to fend off hackers didn’t quite work out.

Instead of changing their passwords to entirely new themes or sequences, many people simply changed just one aspect of the password, like changing a “1” to a “2.” Burr says this doesn’t actually do anything to secure the account, as hackers could easily guess such changes.

Another issue Burr takes with his own advice involves including so many elements in passwords. Many companies and services require users to include uppercase letters, numbers, and special characters in their passwords.

Such passwords, researchers say now, could be more easily cracked than a long phrase or random words strung together.

Burr tells the WSJ that when he wrote the primer there wasn’t a lot of real-world password data to consider, as there now seems to be.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr tells the WSJ.

Making Changes

A lot of things have changed since 2003, and there’s now a plethora of data related to password security available.

For example, researchers now know that the complicated requirements described by Burr annoy people, and make them pick less secure passwords, or the same thing over and over.

To that end, the primer — NIST Special Publication 800-63. Appendix A — received a rewrite [PDF] in June.

NIST had planned to revise the primer, simply removing the worst password recommendations. But that endeavor turned into a complete rewrite.

These new guidelines are now making the rounds: They no longer include complicated requirements for special characters and they eliminate the password expiration mandate.

Instead, NIST now recommends long, easy-to-remember phrases and that passwords only be changed if there are signs the account has been breached or the password was stolen.