The man who wrote the bible on safe passwords now says the world should forget everything he said.

Bill Burr advised the use of  numbers, non-alphabetic symbols and capital letters as a way to provide added security in a 2003 publication he authored while working for the US government. But more than a decade later, the 72-year-old retired former manager at the National Institute of Standards and Technology admits he was wrong.

A message from the man who wrote those infuriating password rules: I got it wr0#ghttps://t.co/rNIZjDg8vM

— Wall Street Journal (@WSJ) August 8, 2017

The advice to create complicated and hard-to-remember passwords as well as change them every 90 days came from Burr in “NIST Special Publication 800-63. Appendix A.”

“Much of what I did I now regret,” Burr told the Wall Street Journal.

“It just drives people bananas and they don’t pick good passwords no matter what you do,” he explained, referring to bizarre letter, number and symbol combinations like “p@55w0rd” or “football123” which  proved to be less secure. Users could not remember the complicated string of characters or had to write them down, further exposing them to security risks.

Frequent changes in passwords, known as “transformations,” were not effective either as users would often make minor changes like replacing the number 1 with a number 2. Not only are hackers aware of the subtle tweaks, they have them built into their scripts to break the codes as with numbers that appear in the middle of words in a password.

Hackers rely on “brute force” cyber attacks as computers cycle through every possible combination of characters to guess a password.

“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr told the Journal.

Cartoonist Randall Munroe noted a few years back that, following Burr’s guidelines, the password ‘Tr0ub4dor&3’ could be hacked in three days while “CorrectHorseBatteryStaple” could take 550 years.

. @xkcdComic covered this well. pic.twitter.com/d1xzx0DsYj

— Tom Schutte (@MrTSchutte) August 7, 2017

“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess,”  he wrote.

Burr’s original password guidelines have been updated now by NIST standards-and-technology adviser, Paul Grassi, who found that the existing rules “actually had a negative impact on usability.”

“We ended up starting from scratch,” he said.

Grassi’s advice is to use longer, but easier to remember, “passphrases.”

“Good advice is to make a long but memorable “passphrase,” the new rules state. “String a few words together that you can remember with a visual. ‘Puffineatingbanana’ is easy to remember but would take millions of years for a computer to crack.”

And while Burr regrets his advice and its negative impact, Grassi disagreed.

“He wrote a security document that held up for 10 to 15 years,” he told the Journal. “I only hope to be able to have a document hold up that long.”

Twitter users reacted to Burr’s admission, many not surprised because of what they had already experienced.

Wake up right! Receive our free morning news blast HERE

Wow. This is oddly engrossing.

— Nicholas Slayton (@NSlayton) August 8, 2017

His advice was out of date ten years ago. But I still have to follow 22 f#ck1nG rules every time I need to make a password.

— I see Dumb people (@BrettOrlob) August 7, 2017

Haha pic.twitter.com/BLXRcSlFwB

— Kathryn C ????? (@Kathryn_CC) August 7, 2017

This mistake literally cost 10s if not 100s of Billions in lost productivity, & that’s before accounting for the cost of stress to end users

— Joey Incognito (@JoeyA_Incognito) August 7, 2017

Hope none of the people I do IT support for read this. They’ll rip me a new one. ?

— LPDHappy (@LPDah) August 8, 2017

To those cheering at the news: the rules weren’t wrong. It’s just that most of you were too stupid to implement them properly.

— John Drake (@TheRealNumber6) August 8, 2017

Goddamn baby boomers.

— justchecking (@porriblehun) August 7, 2017

NOW he tells us.

— Mark R. Harris (@fluencymark) August 8, 2017

CC: Guy who wants the name of my first pet as a “security” question before I can log into my wireless account

— Pezzz… (@PSeigh) August 8, 2017

In other news, NASA announced today that water is wet.

— Sam Dayyat (@SamDayyat) August 8, 2017

Finally!

— Nick Evans (@nickevans224) August 7, 2017

• Author
• Recent Posts

Frieda Powers

Senior Staff Writer
[email protected]

Originally from New York, Powers graduated from New York University and eventually made her way to sunny South Florida where she has been writing for the BizPacReview team since 2015.

Latest posts by Frieda Powers (see all)

• INSIDER: Victor Davis Hanson questions the motivation behind pro-Hamas protests, offers a roadmap to end it - April 23, 2024
• Mike Johnson hits campaign trail for Republican who accused GOP colleagues of terrible things on CNN - April 23, 2024
• Biden admin slaps convenience store chain with ‘insane’ lawsuit same day as Joe’s awkward campaign stop - April 23, 2024

Comment

We have no tolerance for comments containing violence, racism, profanity, vulgarity, doxing, or discourteous behavior. If a comment is spam, instead of replying to it please click the ∨ icon below and to the right of that comment. Thank you for partnering with us to maintain fruitful conversation.