Forget Everything You Know About Passwords, Says Man Who Made Password Rules


Much of the password advice given out over the last 16 years is just plain wrong, the author of a guide to computer passwords has admitted.

"Much of what I did I now regret", Burr told The Wall Street Journal in an interview.

What he did was create page turning document the "NIST Special Publication 800-63". For example, the requirement of using a letter, a number, an uppercase, and a special character isn't useful, and neither is the recommendation of changing your password every 90 days.

Now, one can choose to use long but easy-to-remember phrases over the usage of complex alphanumeric and special characters passwords.

The 72-year-old outlined what has become password Gospel while working for the National Institute of Standards and Technology in 2003.

Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too hard to crack. People often change just one character of their password if the platform allows it, completely defeating the objective of the requirement in the first place. Additionally, the passwords they chose were predictable, given the limited number of ways such characters can be used.

Grassi praised the longevity of Burr's guidelines despite their replacement, saying, "I only hope to be able to have a document hold up [10 to 15 years]", the WSJ reported.

All these rules had a "negative impact on usability", according to Paul Grassi, who led the team to create the new guidelines that are now being disseminated to the rest of the world.

In the paper, Burr recommended that in creating passwords, people should use tricks like random capitalization and special characters.

What are your tricks for dreaming up strong passwords and have they kept you safe over the years? This technology combines the convenience of a contactless sensor with biometric security, and uses image recognition and optical technology to scan the normally invisible vein pattern of the palm. The database is encrypted, he says, and you only need to know one passphrase to get access. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.

And there is little doubt that getting people to secure their accounts with unique and private logins is a good move, but long and complicated passwords often does not help matters.