Hate silly password rules? So does the guy who created them

Password rules followed by millions of users for over a decade turn out not to be based on any real-world data.
Written by Liam Tung, Contributing Writer

Video: Why you need a password manager

The man who drew up widely-used password rules that are now regarded as wrong regrets ever having created them.

If you've ever wondered why you're forced to pick hard-to-remember passwords with a mix of uppercase, lowercase, numbers, and a symbol -- and then asked to change them every month -- it's probably because a developer somewhere followed guidance from a 2003 document by the US National Institute of Standards Technology (NIST).

That eight-page document 'NIST Special Publication 800-63. Appendix A' was written by Bill Burr, now a retired 72-year-old former manager at the institute.

"Much of what I did I now regret," Burr told The Wall Street Journal.

Also: 13 technologies that are safer than passwords | This cheap password-stealing malware just added to your security headaches | Cyberwar: A guide to the frightening future of online conflict

NIST finalized a rewrite of the password management guidelines in June, reversing many of the recommendations contained in the document he wrote.

It did away with recommending periodic password changes and password complexity requirements, while introducing a requirement to check that new passwords aren't compromised or commonly used, like '1234567' or 'password', which always turn up in breaches as the most commonly used passwords.

As the revised document notes, analyses of exposed passwords, which now number several hundred million in the haveibeenpwned database, show rules around complexity and changing passwords don't produce the benefits they were thought to, yet make using systems terrible.

For example, a user inclined to choose 'password' might well choose 'Password1' if required to include a number and uppercase letter. Meanwhile, periodic password changes can make them difficult to remember for those needing access to dozens of systems, who might then waste time requesting a password reset whenever they've forgotten them.

Burr, a former mainframe programmer for the Army, told the paper he did actually want to create password guidance based on real-world passwords, but there wasn't much available in 2003. He even asked NIST computer admins to look at real passwords on their network but was knocked back.

The dumbest passwords people still use

As a result, he leaned largely on empirical data in a computer password security whitepaper from the 1980s.

Under the new guidance, admins responsible for verifying newly created password are advised to check them against passwords exposed in previous breaches, dictionary words, receptive and sequential characters, and words containing the name of the user or service.

The only time that admins should force a change now is if there is evidence a password has been breached. And to support longer random passwords, it advises that admins should let users paste their password in, backing the use of password managers.

The guidance also addresses password length, suggesting users be required to pick one that is at least eight characters in length, while the system should support passwords at least 64 characters in length.

Previous coverage

13 technologies that are safer than passwords

Vein scans, eye scans, fingerprint scans and more up the security game

Passwords are not enough: How to turn on two-factor authentication

Two-factor authentication is no longer an optional feature. If you use modern cloud services, this extra layer of security can dramatically reduce the risk of a hostile takeover. Here's how to get started.

More on passwords

Editorial standards