Typing a password can be a bigger headache than people think, especially for corporate employees who are forced to use complicated, hard-to-remember passwords filled with random numbers and symbols. Today, 14 years after it was published, the man who created the rules for a secure password admitted he was completely mistaken.
The person in question is Bill Burr, who worked for the United States government in 2003, and wrote what would become the “bible” of passwords. The text recommended using uppercase and lowercase letters, non-alphabetic symbols, and numbers in passwords to make them more difficult to crack.
Little did he know that his job would be responsible for websites forcing people around the world to use phrases like “Joe @” or “Password123” to meet password requirements, or that corporate IT departments would force employees to create a new password every 90 days.
Contrary to what was expected, these combinations made systems less secure as users switched to using the same combination for multiple services, or simply pasted a paper with the password on the edge of their computers’ screen. Also, using symbols and numbers does not make combinations more resistant to attacks that try to guess each possible combination for each character of the password.
“I regret much of what I did (…). In the end, things just got trickier for most people and the truth is that I was pointing to the wrong suspect. ”
He added that the recommendation to change the password regularly was also wrong, since most users change only one letter or number, which does not disturb the work of hackers at all.
In 2015, a government agency in Britain even advised companies to stop changing their passwords, as the problems they created were far greater than the benefits.
Recently, the original rules guide from the National Institute of Science and Technology of America, which Bill Burr wrote, has been updated and eliminated most of the old guidelines. Now the recommendation is that users use passwords in phrase, without the need for symbols or numbers, and are easy to remember. For example, the password “horsecarrotsaddlestable” would take a trillion years to be deciphered by the current programs, while the password “P@55w0rd” would be broken in a minute.