You’ve probably followed this go-to password strategy countless times online: a letter, number, at least one uppercase letter and a special character.
But the person that helped spread this doctrine is now walking it back, saying it’s largely been ineffective.
“Much of what I did I now regret,” said Bill Burr — not the comedian — told the Wall Street Journal in an interview published Monday. “It just drives people bananas and they don’t pick good passwords no matter what you do.”
The 72-year-old outlined what has become password Gospel while working for the National Institute of Standards and Technology in 2003. Burr suggested the numbers-letters-special character combo in an eight-page manifesto titled “NIST Special Publication 800-63. Appendix A,” and recommended users change their info every 90 days.
Instead of safeguarding accounts, the strategy backfired. The formula became a nuisance to users; they’d make small, negligible changes to their passwords that were easy to guess by hackers. Burr was under pressure to publish something quick, he said, and had little to lean on for research beyond a paper written in the 1980s.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” said Mr. Burr to WSJ.
Now, NIST is scrapping Burr’s suggestions altogether.
“We ended up starting from scratch,” said Paul Grassi, a standards and tech adiser at NIST.
According to Grassi, the widespread password outline spread by Burr “actually had a negative impact on usability. ” Grassi led a two-year revamp of NIST’s suggestion, and published its updated commandments in June.
The new NIST suggestions strip away the 90-day password time limit and jettison special character requirements. Long but easy-to-remember phrases, rather than funky amalgams of letters and numbers, are the way to go, per NIST.