Forget Everything You Know About Password Security, As The Man Who Made The Rules Admits He Was Wrong
Netizens have long been forced to follow certain requirements in creating passwords for websites and online accounts, but the man who made these rules has now admitted that he was wrong.
When creating passwords, users are often required to have a certain number of letter and numbers, with the letters in both upper and lower cases and special characters sprinkled throughout. These guidelines are now being thrown out the window.
Password Guidelines Creator Admits His Mistake
Bill Burr, a former National Institute of Standards and Technology manager, created an eight-page document in 2003 on creating secure passwords. This guide went on to become the basis of the password requirements on all online accounts.
However, in an interview with The Wall Street Journal, the man who created the password guidelines revealed that he wanted to apologize, as he now regrets what he did.
Back in 2003, Burr did not know much about passwords when he created the guidelines, and was not a cybersecurity expert. He based most of his research for the document on a white paper from the 1980s, when the internet was not yet even invented.
"In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree," Burr said.
The password rules that Burr created, while complicated, did not do much to protect users. This is immortalized in a classic XKCD comic that shows how a password made up of four easy-to-remember words is much tougher to crack than a shorter one with special characters.
A password of "correct horse battery staple" will take a computer 550 years to decipher, while a password of "Tr0ub4dor&3" will only take three days, while also very tough for the user to remember.
Forget Everything You Know About Secure Passwords
The knowledge of most users on what makes up a secure password is based on the guidelines that websites enforce, which use the rules that Burr drafted more than a decade ago. These users should now forget everything they know about password security, as Burr's admissions and various proof show that these guidelines are simply wrong.
Thankfully, the NIST is currently revamping the guidelines. The finalized rules include IT departments only requiring users to change passwords in the event of a data breach and a recommendation for long phrases over short but complicated passwords.
Users should probably now think of a new password to replace the ones they use in their online accounts, or at least for the ones that will accept the correct form of a secure password.