The Man Behind Password Guidelines Says ’50rrY, i g0t iT wR0nG’
Mike Sanders / 7 years ago
I’m sorry, that password is incorrect…
Please choose your password. I’m sorry, please choose a password with a capital letter. Sorry, please use a password with at least 8 characters. I’m sorry, please use a special character in your password. I’m sorry, your details have timed out. Please try again.
Yes, creating a password can be a headache. Even the person who created the system in which the passwords were based has finally admitted, it’s awful and he’s very, very 50rry.
Bill Burr the man who created all this chaos
In 2003 Bill Burr was your average kinda guy. Had a steady job in security. All was well. Then one fateful day, the US National Institute of Standards and Technology approached Bill. They were concerned that there was no real ‘rules’ regarding passwords for anyone to follow and enquired if he would be interested in making some.
Little did Bill Burr know how his advice would lead to misery throughout the world!
“They don’t pick good passwords no matter what you do”
In fairness to Bill Burr, he probably didn’t really know what he was doing at the time. I’m not of course saying that he didn’t know about security, he clearly did, but I don’t think he probably understood the nature of the beast he was dealing with.
Speaking via Yahoo News, Bill Burr has said he now regrets: “much of what I did. It just drives people bananas and they don’t pick good passwords no matter what you do.”
If you want to know what are the 25 WORST passwords you could have, check out our article here!
In his original guidelines, Mr Burr suggested that all passwords should be a minimum of 8 characters, should include 1 uppercase letter, should include 1 numeral, should include a special character (such as an exclamation point or bracket) and most annoyingly, he recommended that the password ideally should be changed every 3 months.
Sounds simply right? No? Well even Mr Burr agrees these days saying that it is: “probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Out of all of this, Mr Burr has said he regrets the advice regarding the regularity of change.
He has since said that changing your password regularly has little to no affect on the likelihood of being compromised. It simply all comes down to a case of picking a quality password in the first instance.
How does my password rate?
Only one way to find out. Post it in the comments and we’ll let you know.
On a serious note though, the real message Bill Burr wants to get across here is that his guidelines could have been a lot clearer. This in turn would have helped companies make their standards a lot more achievable. Research suggests that of all passwords used, around 70% of them are pretty poor. Speaking from personal experience, I detest Apple’s password security. It once took me nearly 20 minutes to set a password much to the amusement of my colleagues who found my 4 letter tirade against the company quite hilarious.
Therefore, the short version is, keep your passwords long and keep it different. The crazier the better. As for Bill Burr? I forgive him… just.