The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
We’ve all been forced to do it: create a password with at least so many characters, so many numbers, so many special characters, and maybe an uppercase letter. Guess what? The guy who invented these standards nearly 15 years ago now admits that they’re basically useless. He is also very sorry .
The man in question is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on how to create secure passwords creatively called the “NIST Special Publication 800-63. Appendix A.” This became the document that would go on to more or less dictate password requirements on everything from email accounts to login pages to your online banking portal. All those rules about using uppercase letters and special characters and numbers—those are all because of Bill.
The only problem is that Bill Burr didn’t really know much about how passwords worked back in 2003, when he wrote the manual. He certainly wasn’t a security expert. And now the retired 72-year-old bureaucrat wants to apologize.
“Much of what I did I now regret,” Bill Burr told The Wall Street Journal recently, admitting that his research into passwords mostly came from a white paper written in the 1980s, well before the web was even invented. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Bill is not wrong. Simple math shows that a shorter password with wacky characters is much easier to crack than a long string of easy-to-remember words. This classic XKCD comic shows how four simple words create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days:
I have often used a password that is three letters (a personal acronym) three numbers (my lucky number based on numerology (adding up the sum of your birth dates etc) and then two more letters I randomly chose.
Most of the sites I have used it on categorize it as a "strong" password, and I have never had a problem.
My passwords are generally romanized words from a language that doesn't use our alphabet. Then I spell them wrong anyway. The words are easy for me to remember but have no real connection to me at all. I do get amused when some jackwagon internet site that I visit to get O&M manuals for equipment no one cares about buy people in my business and those files are free anyway requires me to create an account using a password with at least 8 characters including a number, capital letter and punctuation mark. Now I have to add it to a file I keep so I can remember what I did...
There are a few places where I can enter a 12 character password and be told it's too long to use...
Then there's the other BS rule that you've got to change your password every 3 months. That's another one that forces people to write down their credentials which defeats a good deal of the whole premise in the first place...
My brother used to use the password bbbbbbbb as his password at work. Every 3 months he would add or subtract to the number of Bs...
Personally, I could kill him. I can't remember all this stuff! My hard drive is full!!!
I also have a password that is nothing but two common words that no one would ever associate with each other. That one is also rated "strong"
I use someone's initials and their phone number. It always come up as Strong-- and that way, I get to feel like I've called them. (These are phone numbers from when I was a kid-- they're all dead now...)