1. News
  2. Privacy

Man who created modern password management rules says he was largely mistaken

The newest rules no longer require password time limits or the use of special characters

Photo (c) mangpor2004 - Fotolia
Most technologically savvy consumers know how important it is to have a strong password, but are our current passwords good enough?

According to the man who pioneered modern password management, probably not. Bill Burr – the man who first came up with the notion of using passwords with new words, obscure characters, capital letters, and numbers – admits that the advice he gave in an 8-page primer on protecting accounts with certain types of passwords was largely incorrect, according to a Wall Street Journal report.

“Much of what I did I now regret,” said Burr of his past work. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

Short of the mark

Burr’s theories for password management became popular back in 2003 when he released “NIST Special Publication 800-63 Appendix A” as a midlevel manager at the National Institute of Standards and Technology. The document was quickly seen as the go-to guide for creating strong passwords and was adopted by federal agencies, universities, companies, and consumers everywhere.

However, the author says that many of the recommendations in the document have proven to be largely incorrect. For example, Burr says that the recommendation of changing passwords every 90 days is impractical, and that many consumers only make one or two small changes that are easy to guess.

Additionally, he says that the old standby of having a password contain a letter, number, uppercase letter, and special character was largely unnecessary.

New passsword rules

In June, NIST researchers published a rewrite of Burr’s original rules, a project that took two years to complete. The researchers say that they initially expected that they would only need to do a light edit of Burr’s work, but the team ended up completely starting from scratch and cutting out many outdated password rules.

To start with, they completely dropped the advice on changing passwords every 90 days and ousted the requirement of using special characters. Lead adviser Paul Grassi said that those rules “actually had a negative impact on usability.” He says that long, easy-to-remember passwords are the safest bet for consumers, and that passwords should only be changed if there is any sign that they have been compromised.

To Burr’s credit, Grassi says that he is probably being too critical of his advice from 2003, considering that he was under enormous pressure to publish guidance quickly and did not have much information to base his assertions on.

“He wrote a security document that held up for 10 to 15 years,” said Grassi. “I only hope to be able to have a document hold up that long.”

Take an Identity Theft Quiz. Get matched with an Authorized Partner.