Way back in 2003, Bill Burr wrote a document that set the standards for password creation but Burr has now recanted to claim his recommendations could have actually been wrong. To be clear, the 8-page password advice he created while working in middle management at the National Institute of Standards and Technology is one of the leading reasons many current passwords can be such a pain to remember. That’s down to the resulting guidelines behind the modern requirement that passwords must contain both uppercase and lower case letters, a number, and often a symbol. Moreover, the advice was that people should use words or phrases they could easily remember, but interlaced with symbols and numbers with shapes similar to letters. Furthermore, at the time of the document’s writing, users were recommended to change their password frequently – as often as every 90 days.
Burr, for his part, regrets a lot of what he did with the standards. He says, for example, that users who did follow guidelines and change their password had a habit of only implementing slight changes that did almost nothing to improve security. Additionally, the passwords they chose were predictable, given the limited number of ways such characters can be used. In fact, some estimates have put forward a time frame of 3 days to hack those rules. As a result of those estimations, the rules were completely rewritten in June. According to the projects lead Paul Grassi, and for the reasons listed above, the old rules did very little for security and compromised the usability of the internet. For starters, the new rules don’t require password changes unless there is an indication that an account has been illegitimately accessed or a password has been stolen. It is suggested that users set their passwords as phrases they will easily remember, too. For example, with current technology, experts have suggested something as simple as “correct horse battery staple,” written together as a single word, could take up to 550 years to be cracked.
Grassi, meanwhile, seems to think that Burr shouldn’t beat himself up over the ordeal. Despite that Burr didn’t have access to the data that would be required to make the more practical, modern suggestions regarding passwords, Burr’s document stood for no less than 10 years. It also had a significant impact on how security is viewed worldwide. According to Microsoft researcher Cormac Herley, the ideas were logically sound, too, and intended to create a randomness in password settings that could actually have worked. A large part of the problem, Herley says, is that so many people were so unoriginal in their creation of passwords using the old guidelines. The new guidelines, on the other hand, are much more open and should bring more creativity and diversity in password selection. They should also make remembering passwords a much easier task for users.