The man whose advice compelled the world to chose complex passwords — with capital letters, numbers and special characters — has admitted he was ‘barking up the wrong tree.’
Bill Burr, who works at the National Institute of Standards and Technology, inked the guidelines for password strength in 2003.
Back then, he also advised us to update passwords regularly, meaning we had umpteen complex passwords to remember at any given time.
“Much of what I did I now regret,” Burr, now 72 and retired, told the Wall Street Journal.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
So where does that leave us? Well, thankfully the NIST is creating a brand new set of guidelines, overhauling many of the practices.
The new guidelines will call for longer phrases with memorable words strung together. For example, ‘fishchipsmushypeas’, would be much harder for botnets to guess than weaker single-word passwords littered with special characters and numbers.
Apparently, those passwords are easy enough to guess because people just swap out an ‘o’ for a ‘0’, or an ‘i’ for an ‘!’
Goodbye, enforced changes
The new advice will also call for regular, enforced password changes to be ditched unless there’s a security breach.
The NIST believes that people only tend to change one character when forced into a password change. So, Password1 becomes Password2 and so on.
The new guidelines say: “Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.”
Burr is also among those authoring the new guidelines. Let’s hope in 15 years time he doesn’t turn around and regret everything once again.