Password fancies
Once again, expert advice proves to be way wrong
In 2003, a mid-level manager at the National Institute of Standards and Technology named Bill Burr created a template for generating what he insisted would be nearly impossible-tobreak computer passwords.
The formula that millions of computer users adopted resulted in cumbersome and unwieldy passwords, but it was that unwieldiness that made access to the data so much more difficult.
Mr. Burr was a big proponent of awkward words featuring a random letter, a number, at least one uppercase letter and a special character like an exclamation point or a dollar sign in the mix that would require hitting the shift key. He believed a password of this complexity would be enough to frustrate ever inventive hackers and protect personal and company data from theft or snooping, especially if the password was also changed every 90 days.
It was annoying, but federal agencies and many companies compelled their employees to follow the protocol because they believed it would protect their data. Millions of people accessed their personal computers the same way. It has become the status quo everywhere.
Recently, Mr. Burr, who is 72, did something that many who have achieved his fame and notoriety refuse to do:
He admitted he was wrong — and that his formula for a hack-free existence was often counterproductive.
The NIST has revised Mr. Burr’s guidelines and now recommends that users drop the password expiration element and don’t worry about swapping it out every 90 days, unless there has been evidence of a security breach. It also recommends the elimination of special characters.
Instead of using awkward words, NIST now recommends using easyto-remember phrases consisting of at least four words written as one word. Holding on to at least one uppercase and one number wouldn’t hurt, but isn’t mandatory.
Mr. Burr based his original guidelines on a very small set of data and a white paper written in the mid-1980s. It was state-of-the-art information at the time, but didn’t reflect what millions of online users would do once the floodgates opened in the 1990s and 2000s.
Because hackers post hundreds of millions of stolen passwords online, NIST can see what tools hackers use to steal this information and how. Mr. Burr’s previous advice, though somewhat effective, wasn’t the ultimate deterrent to hackers he hoped it would be. The unwieldiness of the process caused people to make mistakes that compromised their security.
Mr. Burr looked at the data and learned from his mistake. We can learn from his humility and finally do something unprecedented until now — make memorable passwords that work.