The father of password rules is sorry for wasting your time

(Last updated on September 26, 2019)

Do you ever wonder why you have to add an uppercase letter or an exclamation point when you create a password? You can thank Bill Burr for that. In 2003, Bill Burr wrote password security guidelines for National Institute of Standards and Technology (NIST) encouraging users to formulate passwords muddled with complicated letters, numbers and symbols and change them regularly. Those guidelines became the basis of almost every password policy and Bill Burr is now apologizing.

Now you tell me!

“Much of what I did I now regret,” Bill Burr admitted to The Wall Street Journal. He had wanted to provide guidelines based on real life data but there wasn’t much empirical data on password security 15 years ago. In the end, Bill Burr had to rely heavily on an outdated whitepaper on computer password security written in the 1980s.

You may want to yell at the man who caused you a great deal of agony in password creation but in his defense, his advice wasn’t all bad. His complexity rules were supposed to encourage randomness, which would have make a password less predictable. But in reality, humans are bad at coming up with something random because having patterns is part of our survival mechanism. As a result, most passwords end up with the same old combinations of letters, numbers and symbols. Troy Hunt analyzed passwords leaked from sources including Sony and Gawker breaches and concluded that: “truly random passwords are all but non-existent – they’re less than 1% of the data set.”

Hindsight is 20/20

Don’t be too hard on Bill. He didn’t know what we do now – it wasn’t until recently that the experts were able to gain access to leaked password data to draw insights from. So what’s wrong with Bill’s advice? Two things:

  • Length makes a password strong, not complexity. Here’s why.
  • Passwords don’t need to be changed regularly. Password expiration has a negative impact on usability – only change your password if it has been stolen or hacked.

NIST has since reversed their recommendations on password complexity and password expiration. This time they have done research on several hundred million exposed passwords to back up their new recommendations. In the new guidelines, they advise people to use long passwords made up of easy-to-remember phrases and introduced a requirement to check against commonly used passwords. A password solution can help your organization enforce strong password policies, block common words and support passphrases.

Back to Blog