Password guru who told the world to make them complicated admits: I got it completely wrong

Laptop 
Bill Burr wrote the password 'bible' - but has now admitted his guidance actually made things worse

It has become the bane of many office workers’ existences: being forced to use complicated and difficult-to-remember passwords laden with random numbers and symbols.

But the man who originally came up with the rules on safe passwords has admitted that his guidance was totally wrong, 14 years after it was first published.

Bill Burr wrote what has become the “bible” on password security in 2003 while working for the US Government. It advised using capital letters, numbers and non-alphabetic symbols in passwords, in the belief that they would be more difficult to guess.

His work is now responsible for offices and websites forcing people to adopt tortuous phrases such as “P@55w0rd” or “Football123” to satisfy password forms, as well as IT departments demanding that workers create a new one every 90 days.

But instead of improving security, the combinations actually made computer systems less secure, since users would end up using the same password repeatedly, or writing them down on post-it notes attached to their screens. 

Nor did the introduction of numbers and symbols make passwords any less vulnerable to “brute force” cyber attacks in which a computer cycles through every possible combination of characters to guess a password.

“Much of what I did I now regret,” Burr, who is now retired, told the Wall Street Journal. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

He added that the advice to regularly change passwords was mistaken, since most people end up altering one character, such as changing from “username1” to “username2”, which does little to stop hackers.

In 2015, GCHQ advised companies to stop resetting passwords, saying the inconvenience it created outweighed any limited security benefits.

The original password guidelines from America’s National Institute for Science and Technology written by Burr have recently been updated to do away with the old rules.

They now advise that people use long but easy-to-remember “passphrases”, a sequence of words that do not need to feature special characters or numbers. Using “horsecarrotsaddlestable” would take one trillion years for a botnet cyber attack to crack, compared to one minute for “P@55w0rd”. 

 

License this content