The man who created the most common type of “hard to crack” online passwords is now saying he regrets his advice. Bill Burr, a former National Institute of Standards and Technology manager, told the Wall Street Journal that his 2003 document — which was used by government employees and went on to inform password rules in general — isn’t the best advice anymore.

Burr originally recommended creating passwords that were a string of completely random letters, numbers, and symbols. He also recommended that people change their passwords every 90 days. That’s actually good advice for creating passwords that are hard to crack but, unfortunately, it’s also great advice for creating passwords that are hard to remember. As a result, his advice was pretty much impossible to implement, when taken together.

But people tried. And pretty quickly — and on Burr’s advice — people started resorting to substituting letters in words or phrases with numbers or symbols, i.e. “Th!sPurpleH0use$$.” However, an alternative “language” developed as people used the same symbols to represent the same letters, like “!” for “I” or “0” for “o.” Hackers are generally not stupid people, so figuring out this new way of writing passwords wasn’t very hard.

"It's probably better to do fairly long passwords that are phrases or something like that that you can remember than to try to get people to do lots of funny characters," Burr told CBS News.

Burr consulted with the National Institute of Standards and Technology to create new password standards for users and websites. The new rules are a major shift from his 2003 advice and include:

1. Removing requirements that passwords be complex

   Instead of a string of uncrackable, difficult to remember words, letters, and symbols, the new NIST guidelines suggest a combination of unrelated words or phrases that are strange, but easy to remember. This eliminates the shortcuts that people were taking to conform to password rules, like making their password “!Password2!”

2. Getting rid of password reset requirements

   Asking users to constantly reset passwords results in lazy passwords as users struggle to create something new that they can remember. Instead of coming up with something totally new, users will just slightly alter their previous password. That means that if someone has their old password, it’s not hard to figure out their new one. The new NIST guidelines do away with this requirements.

3. Always having a “show password while typing” option

   Having a letter or symbol disappear as soon as a user types it leads to a large number of typos — and there’s no way to tell where you messed up. As a result, people create easier to write (and therefore easier to crack) passwords. The new NIST guidelines recommend always having a “show while typing” option so that people feel better about creating longer, safer passwords.

4. Allowing “paste” in passwords

   Some sites don’t allow users to paste passwords into the password field. However, the rise of password managers — which not only store users’ passwords but also help generate secure passwords — makes it possible for people to use and insert truly secure passwords. But if they have to type out those 20 characters correctly? They’re unlikely to get it right.
Share this post