Password Guru Bill Burr's New Advice: Never Mind

Doris Richards
August 10, 2017

"Much of what I did I now regret", Burr told the Wall Street Journal. When he was working for the National Institute of Standards and Technology and after he created this recommendation guide, it became the sort of sacred text for a lot of federal agencies, schools, and private companies.

Bill Burr was working for the US government when he came up with guidelines in 2003.

Websites have a multitude of password requirements with some needing passwords including upper and lower case letters, while others ask for non-alphanumeric characters such as question marks and percentage signs.

Since its initial release almost fifteen years ago, the NIST advice on passwords has been updated a number of times, most recently in June this year.

Grassi praised the longevity of Burr's guidelines despite their replacement, saying, "I only hope to be able to have a document hold up [10 to 15 years]", the WSJ reported. They were meant for security administrators. "I'm right", she said of the previous rules.

The man responsible for setting the guidelines for complex passwords says he regrets writing the advice, and acknowledged that it "drives people bananas".

Not only did the old password format frustrate users, it wasn't even the best way to keep hackers at bay.

Contrary to what was expected, these combinations made systems less secure as users switched to using the same combination for multiple services, or simply pasted a paper with the password on the edge of their computers' screen.

Businesses should heed the new standards, using them to inform their corporate password policies. Or, better yet, get a password manager like LastPass or 1Password and have it come up with those complicated passwords for you - which you can then access with a master password that fits NIST's new guidelines.

The next you've been forced to reset a password after upteenth incorrect guesses, clench your fist and shout the name Bill Burr.

So if you're looking to change your password soon, don't pick these. "For things that don't matter so much, maybe not", he said. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.

Burr said he prefers phrases from literature. I can't tell you how many sites I simply avoid because even if I follow their insane "include a cap, a number, a character, a lower case letter, and a secret keyboard Easter Egg at least eight characters".

"There's no ideal answer here".

Other reports by Iphone Fresh

Discuss This Article