The father of password rules is sorry for wasting your time

Do you ever wonder why you have to add an uppercase letter or an exclamation point when you create a password? You can thank Bill Burr for that. In 2003, Bill Burr wrote password security guidelines for National Institute of Standards and Technology (NIST) encouraging users to formulate passwords muddled with complicated letters, numbers and symbols and change them regularly. Those guidelines became the basis of almost every password policy and Bill Burr is now apologizing.

Now you tell me!

“Much of what I did I now regret,” Bill Burr admitted to The Wall Street Journal. He had wanted to provide guidelines based on real life data but there wasn’t much empirical data on password security 15 years ago. In the end, Bill Burr had to rely heavily on an outdated whitepaper on computer password security written in the 1980s.

You may want to yell at the man who caused you a great deal of agony in password creation but in his defense, his advice wasn’t all bad. His complexity rules were supposed to encourage randomness, which would have make a password less predictable. But in reality, humans are bad at coming up with something random because having patterns is part of our survival mechanism. As a result, most passwords end up with the same old combinations of letters, numbers and symbols. Troy Hunt analyzed passwords leaked from sources including Sony and Gawker breaches and concluded that: “truly random passwords are all but non-existent – they’re less than 1% of the data set.”

Hindsight is 20/20

Don’t be too hard on Bill. He didn’t know what we do now – it wasn’t until recently that the experts were able to gain access to leaked password data to draw insights from. So what’s wrong with Bill’s advice? Two things:

  • Length makes a password strong, not complexity. Here’s why.
  • Passwords don’t need to be changed regularly. Password expiration has a negative impact on usability – only change your password if it has been stolen or hacked.

NIST has since reversed their recommendations on password complexity and password expiration. This time they have done research on several hundred million exposed passwords to back up their new recommendations. In the new guidelines, they advise people to use long passwords made up of easy-to-remember phrases and introduced a requirement to check against commonly used passwords. A password solution can help your organization enforce strong password policies, block common words and support passphrases.

(Last updated on September 26, 2019)

Back to Blog

Related Articles

  • “123456” and “password” continue to be the most commonly used passwords, when will people learn?

    Here is a list of the top 25 most common passwords of 2016. Your policy may not allow weak passwords such as 123456 or password, but even if the password complexity requirement is enabled in the standard Windows Password Policy, users can still create insecure passwords such as such as Password123, Company2015, January1 and LetMeIn2015….

    Read More
  • Free tool identifies AD password security weaknesses

    Specops Password Auditor allows organizations to take stock of current Active Directory password policies and other security-related vulnerabilities. Scans Active Directory Identifies stale admin and user accounts Checks password policy strength and compliance Easy to export reports Free download or available with Specops Password Policy Stockholm, <February 7, 2017> – Specops Software announced today the…

    Read More
  • End-user password behavior: the bane of IT

    We recently ran a meme contest on Spiceworks asking IT administrators and support staff to create a password related meme that captured their password management challenges. I’ve taken the liberty of including some of these throughout this article. With over a 100 memes submitted it is quite evident that end users continue to make poor…

    Read More