The man who wrote the book on password management has a confession to make: He blew it.
72-year old Burr had initially advised people to change their password every 90 days, and he also said that people should complicate their passwords by adding capital letters, numbers and symbols.
Here's hoping websites catch on fast. They require the user to remember only one password. An O becomes a zero, a 1 becomes an exclamation point, and now you have what looks like an impossible-to-crack password.
"We ended up starting from scratch", said Paul Grassi, a standards and tech adiser at NIST.
Meanwhile, as people juggle dozens of complicated and ever-changing passwords, hackers have found more sophisticated methods of accessing them.
The document's advice, that passwords should be made of irregular capitalisations, numbers and special characters, was widely adopted by everything from banks to government bodies. From the sounds of an interview in the Wall Street Journal, they were just dumped in his lap.
Now, thanks to a report in the Wall Street Journal, we know who's responsible for our password frustrations. For example, fishchipsmushypeas, would be much harder for botnets to guess than weak passwords littered with special characters. They did little for security and "actually had a negative impact on usability".
Long, easy-to-remember phrases now get the nod over insane characters, and users should be forced to change passwords only if there is a sign they may have been stolen, says NIST, the federal agency that helps set industrial standards in the U.S. "Appendix A" brought out in 2003 which listed the standard rules of setting passwords has been revised and a new edition been brought out that proves the previous ways of setting passwords as wrong. Now you'll finally be able to throw away that Post-it note that reminds you what your new password is.
The only time that admins should force a change now is if there is evidence a password has been breached. These are seen as more secure methods. Conversely, four random words like "correct horse battery stable" is not only easy to remember, it would take 500 years for computers to break. He had asked NIST's computer security experts for passwords as a case study, but they did not comply.