Guy Who Wrote the Book on Passwords: I Was Wrong

Bill Burr says using special characters, plus frequent changes, was off base
By John Johnson,  Newser Staff
Posted Aug 8, 2017 7:42 AM CDT
Updated Aug 12, 2017 10:51 AM CDT
Guy Who Wrote the Book on Passwords: I Was Wrong

The security expert who wrote widely accepted advice in 2003 about online passwords—use special characters and change the passwords regularly—now acknowledges that he misfired. "Much of what I did I now regret," Bill Burr, who is 72 and retired from the National Institute of Standards and Technology, tells the Wall Street Journal. About 15 years ago, Burr authored something called the "NIST Special Publication 800-63. Appendix A," which became the standard for federal agencies and many corporations. It urged people to add exclamation points and the like to their passwords and to change them every 90 days or so. Years of research, however, shows that doesn't do much to foil hackers, and the agency's newly updated guide instead encourages a long, easy-to-remember string of words.

What's more, the new advice says people shouldn't change their passwords unless informed of a specific threat of a hack. The story cites a widely circulated cartoon explaining that a password like Tr0ub4dor&3 would take three days to crack, while "correct horse battery staple," written as one word, would take 550 years. Security experts think those calculations are on track. While Burr owns up to his misguided advice, the story cuts him a lot of slack because he wasn't given much data to work with for his 2003 report. Of course, many people these days rely on password managers to generate their various passwords, but the Verge notes that they still must create a tough-to-crack master password. (More passwords stories.)

Get the news faster.
Tap to install our app.
Install the Newser News app
in two easy steps:
1. Tap in your navigation bar.
2. Tap to Add to Home Screen.