Password Guru Bill Burr's New Advice: Never Mind

Password Guru Bill Burr's New Advice: Never Mind

It turns out, the guy who invented those password rules nearly 15 years ago now admits he got it all wrong.

"Much of what I did I now regret", he said.

In June, the NIST released new guidelines, which don't call for "special characters" or changing passwords frequently anymore. In an 8-page guide, he decreed that passwords should be made from odd mixes of capital and lowercase letters, numbers, and symbols, and that they should be changed regularly. Moreover, the advice was that people should use words or phrases they could easily remember, but interlaced with symbols and numbers with shapes similar to letters.

But in an interview with The Wall Street Journal, the now-retired Burr said most of his advice was incorrect.

String a few words together: Choosing a longer password does not mean you must make use of a word that has more characters. NIST now wants sites and companies to forgo requiring people to change their passwords periodically, which makes sense since a study from Carleton University revealed that this is a pretty useless tactic.

Used a dictionary to prevent subscribers from including common words and prevented permutations of the username as a password. Burr was under pressure to publish something quick, he said, and had little to lean on for research beyond a paper written in the 1980s.

More news: Amazon Acquires Lucy and Desi With Cate Blanchett Set to Star

We've all spent time staring at our keyboards, trying to think of yet another password containing a mix of upper and lowercase letters along with at least one number or special character.

Instead, he recommends using a password management software such as Password Safe (, which will both generate and store very secure passwords for you.

Rather than a password, you're better off dreaming up a passphrase - even "PasswordIsATerriblePassword" is still a stronger password than "p@ssw0rd1". He also advised they be reset every 90 days. Of course, following the AARP's advice might also lead to people getting locked out of accounts after failed password attempts during which they enter old passwords - the frustration of which may also ultimately cause them to undermine security with weaker, reused passwords.

A far better approach than telling people to use complex passwords, is to advise them to classify the systems to which they need to secure access.

If hackers want to steal your passwords, they have more sophisticated methods than just guessing.

Bill Burr, the man who made your bank have you change your password every month, says he's sorry.

Related Articles