The man responsible for the annoying requirement that your passwords include capital letters, random characters and numbers now says he regrets the advice he gave fourteen years ago.
Bill Burr was a manager at the U.S. National Institute of Standards and Technology (NIST) when he authored a guide to protecting computers and digital accounts with what he believed to be hard-to-guess passwords.
Burr recommended adding numbers, capital letters, exclamation marks and other special characters to passwords, advice that was adopted by organizations, companies, government agencies and educational institutions across North America.
But in an interview with The Wall Street Journal, the now-retired Burr said most of his advice was incorrect.
“Much of what I did I now regret,” he said.
Burr said the guidelines first published in 2003 ultimately led people to create passwords that could easily be cracked by hackers, such as Password123!
And, because he also suggested that people change their passwords every 90 days, most made the same, predictable changes, such as substituting one number.
The NIST has rewritten the guidelines, which scrap the special character advice with the recommendation that people use long phrases they can easily remember, but which still can’t easily be guessed by algorithms.
The U.S. federal agency now also says that people should only change their passwords if they think they may have been stolen or if their accounts have been compromised.
