Your password is probably some complicated arrangement of letters, numbers, and punctuation. Well, it doesn’t need to be, and the guy who came up with those rules is sorry.
That guy is Bill Burr, 72, who in 2003 was a midlevel manager at the National Institute of Standards and Technology. Now retired, he was asked back then to come up with a set of guidelines on how to make passwords.
Called “NIST Special Publication 800-63. Appendix A,” it included suggestions such as changing your password every 90 days, and also using a variety of characters. Those guidelines became the cornerstone of a lot of websites, which is why you’re often prompted to increase the complexity of your password.
Burr, however, was wrong. “Much of what I did I now regret,” he told the Wall Street Journal.
The problem was that he didn’t have enough data on what sort of passwords were successful. So his research led him to believe this was the best course of action.
“In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” he said.
So what should you do? Well, the most secure passwords do not rely on complexity. Instead, length is the best way to make them less easy to hack.
As explained in the XKCD comic below, a password like “Tr0ub4dor&3”, which adheres to Burr’s original guidelines, would take just three days to crack and is hard to remember. Conversely, four random words like “correct horse battery stable” is not only easy to remember, it would take 500 years for computers to break.
What’s more, recent spates of hacking have highlighted that people are not as original as they think. Data leaks from places like Yahoo and LinkedIn have shown that people often opt for fairly similar passwords.
Thankfully, the rules have been changed. In June, a new group at the NIST rewrote the guidelines, which dropped the 90-day expiration advice and also the requirement for special characters. Hopefully these will be adopted in the not too distant future, so that websites can stop asking us for a bunch of random characters.
Basically, strings of words or easy-to-remember phrases are the way forwards. Now go forth and change your passwords. We’ll wait.