The man responsible for creating the password advice we've all been using for the last 20 years now says he was wrong.
“Much of what I did I now regret,” retired former National Institute of Standards and Technology manager Bill Burr, now 72, told The Wall Street Journal.
Burr wrote the unofficial rules regarding how to choose a strong password, including using a mix of letters, numbers and symbols and changing passwords every 90 days.
After 20 years of studying the passwords users chose for their accounts, the document written by Burr was rewritten in June to reflect the latest thinking and observations about strong passwords.
Paul Grassi, an NIST adviser who led the rewrite, said his group didn’t think much of a revision would be needed, but they “ended up starting from scratch” to determine what actually works best in choosing strong passwords, the WSJ reported.
It turned out that using special characters didn’t make passwords much harder to crack, but they did make passwords harder to remember and keep track of. And changing passwords every 90 days didn’t help much either, especially if the change was only a slight one, the WSJ said.
The new guidelines state that a long, easy-to-remember phrase is more effective than a shorter password with strange characters. It would actually take 550 years for a computer to decode a phrase like “correct horse battery staple,” cartoonist Randall Munroe calculated, and only three days to decode “Tr0ub4dor&3,” at 1000 guesses per second.
Grassi praised the longevity of Burr’s guidelines despite their replacement, saying, “I only hope to be able to have a document hold up [10 to 15 years],” the WSJ reported.
Biometric data such as a fingerprint or retinal scan also was recommended for password use whenever possible.