Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

The man who created password hell admits he got it all wrong

The man whose advice compelled the world to chose complex passwords — with capital letters, numbers and special characters — has admitted he was ‘barking up the wrong tree.’

Bill Burr, who works at the National Institute of Standards and Technology, inked the guidelines for password strength in 2003.

Back then, he also advised us to update passwords regularly, meaning we had umpteen complex passwords to remember at any given time.

“Much of what I did I now regret,” Burr, now 72 and retired, told the Wall Street Journal.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

So where does that leave us? Well, thankfully the NIST is creating a brand new set of guidelines, overhauling many of the practices.

The new guidelines will call for longer phrases with memorable words strung together. For example, ‘fishchipsmushypeas’, would be much harder for botnets to guess than weaker single-word passwords littered with special characters and numbers.

Apparently, those passwords are easy enough to guess because people just swap out an ‘o’ for a ‘0’, or an ‘i’ for an ‘!’

Goodbye, enforced changes

The new advice will also call for regular, enforced password changes to be ditched unless there’s a security breach.

The NIST believes that people only tend to change one character when forced into a password change. So, Password1 becomes Password2 and so on.

The new guidelines say: “Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.”

Burr is also among those authoring the new guidelines. Let’s hope in 15 years time he doesn’t turn around and regret everything once again.


Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.