It has become the bane of many office workers’ existences: being forced to use complicated and
difficult-to- remember passwords laden with random numbers and symbols.
But the man who originally came up with the rules on safe passwords has admitted that his
guidance was totally wrong, 14 years after it was first published. Bill Burr wrote what has
become the “bible” on password security in 2003 while working for the US government which
advised using capital letters, numbers and non-alphabetic symbols in passwords, in the belief that
they would be more difficult to guess.
Burr is now responsible for offices and websites forcing people to adopt tortuous phrases such as
“P@55w0rd” or “Football123” to satisfy password forms, as well as IT departments demanding that workers create a new one every 90 days. But instead of improving security, the combinations actually made computer systems less secure, since users would end up using the same password repeatedly, or writing them down on post-it notes attached to screens.
Nor did the introduction of numbers and symbols make passwords less vulnerable to “brute force” cyber attacks in which a computer cycles through every possible combination of characters to guess a password.
“Much of what I did I now regret,” Mr Burr, who is now retired, told the ‘Wall Street Journal’. “In the end, it was probably too complicated for a lot of folks to understand, and the truth is, it was barking up the wrong tree.” He added the advice to regularly change passwords was mistaken, since most people end up altering one character, such as changing from “username1” to “username2”, which does little to stop hackers. In 2015, GCHQ advised companies to stop resetting passwords.
The original password guidelines from America’s National Institute for Science and Technology,
written by Mr Burr, have been updated to do away with the old rules. They now advise people
use long but easy-to- remember “passphrases”, a sequence of words that do not need to feature
special characters or numbers. Using “horsecarrotsaddlestable” would take one trillion years for a “botnet” cyber attack to crack, compared to one minute for “P@55w0rd”.