Aug 08 2017

Password Rule Guru Bill Burr Now Regrets His Advice

In 2003, Burr, then an official working at the National Institute of Standards and Technology, devised guidelines for password security. ​

That password you came up with that has a special character and capitalized letter in the middle? It's not as secure as you think it is. And Bill Burr is sorry. 

In 2003, Burr served as a midlevel manager at the National Institute of Standards and Technology, Band wrote “NIST Special Publication 800-63. Appendix A.”

As The Wall Street Journal reports: "The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers — and to change them regularly." The guide became the industry template for password security at large companies, universities and federal agencies. Now, Burr says he was wrong on both counts.

“Much of what I did I now regret,” Burr told the Journal.  The guidelines told people to change their passwords every 90 days, but most only made minor tweaks instead of coming up with entirely new passwords. And, as The Verge notes, when it comes to special characters and numbers in passwords, “most people tend to use the same exact techniques when crafting these digital combo locks. That results in strings of characters and numbers that hackers could easily predict and algorithms that specifically target those weaknesses.” 

NIST has completely revised Burr's rules, according to NIST adviser Paul Grassi, who led the two-year-long redo. The Journal notes that NIST has dropped the password-expiration advice and the requirement for special characters, which Grassi says did little for security and “actually had a negative impact on usability.” The agency, which sets U.S. industrial standards, now recommends that long, easy-to-remember phrases for passwords, and says users should only change passwords if there is an indication they may have been stolen, according to the Journal.