Author Of 2003 National Password Guidance Expresses Regrets

Image iStock

When creating passwords, users are often required to have a certain number of letter and numbers, with the letters in both upper and lower cases and special characters sprinkled throughout.

Bill Burr advised the use of numbers, non-alphabetic symbols and capital letters as a way to provide added security in a 2003 publication he authored while working for the U.S. government. Security best-practice guidelines going back more than a decade have recommended resetting passwords every 90 days and creating cryptic strings of characters, rather than easy-to-remember words, as the ideal password strategy. He says that long, easy-to-remember passwords are the safest bet for consumers, and that passwords should only be changed if there is any sign that they have been compromised.

In June, NIST researchers published a rewrite of Burr's original rules, a project that took two years to complete.

The system actually ended up making things less secure as people had to write down their passwords to remember them - and many people only altered one character when changing their password, which didn't stop hackers.

Experts now believe long passwords that contain perhaps four words are much harder to break than shorter ones with a mix of letters, characters and numbers.

The insights came in a Monday interview with Burr, a former employee of the National Institute of Standards and Technology (NIST), conducted by the Wall Street Journal.

Research from security firm SplashData for example has previously shown that the world's most common passwords are '123456", closely followed by "password'.

"Much of what I did I now regret", Burr said to The Wall Street Journal. So he turned to a white paper from the 1980s. Forgetten the incredibly complex password you've refreshed so regularly you've run out of pets, birthdays and meaningful number combinations?

Not only did the old password format frustrate users, it wasn't even the best way to keep hackers at bay. It's not hard to imagine that such a scenario will lead to passwords being reused, modified only in part (e.g., the password after josephsteinberg1 becomes josephsteinberg2), or written down. Another study from Carleton University said frequent changes are more inconvenient than helpful. He also advised they be reset every 90 days.

It seems like whenever there is a major data breach reported in the news, "experts" quoted all over the media advise people to change their passwords.

Related News: