To keep your personal data secure, it’s important to craft a strong password—and for nearly 15 years, savvy computer users have heeded the counsel of Bill Burr, the man who quite literally wrote the book on password management. Now, The Wall Street Journal reports
that Burr has admitted that some of his advice was flawed.
While working as a manager at the National Institute of Standards and Technology (NIST) in 2003, Burr wrote a primer—officially known as “NIST Special Publication 800-63. Appendix A”—that instructed federal workers to create codes using obscure characters, a mix of lowercase and capital letters, and numbers. For security purposes, he also recommended changing passwords on a regular basis. At the time, however, Burr didn’t have a ton of data to rely on, so he ended up using a paper published in the mid-1980s as a primary source for the manual.
Burr’s primer eventually became widely used among federal workers, corporate companies, websites, and tech companies alike. But in hindsight, experts say that Burr’s directives didn’t actually improve cybersecurity: The NIST recently gave his primer received a full overhaul, and they opted to eliminate the now-famous rules about using special characters and switching up codes.
These rules “actually had a negative impact on usability,” Paul Grassi, the NIST standards-and-technology adviser who led Special Publication 800-63’s rewrite, told The Wall Street Journal
. They make it harder to remember and type in codes, plus those parties who did change their passwords every 90 days typically only made minor, easy-to-guess alterations.
Plus, research now shows that longer passwords—a series of around four words—are ultimately harder to crack than shorter combinations of letters, characters, or numbers. (And at the end of the day, computer users ended up paradoxically choosing the same “random” passwords used by millions of others.)
The NIST now recommends long, easy-to-remember passwords (not the “#!%”-filled ones of yesteryear) and for people to switch codes only if they suspect that their existing one has been stolen. In short, it's probably time to change your password—and this time around, you might even have an easier time remembering it.