The Man Responsible for Those Annoying Password Requirements Regrets Them
B3tTer l4Te [email protected] neV3r!
People are bad at passwords, and while that would certainly be true regardless of what Bill Burr wrote, his suggestions on making passwords secure contributed to the problem. You may not know who Burr is, but you’ve certainly encountered his guidelines in all those requirements for special characters and numbers that make your password difficult to remember. Much like you, he regrets the effect they’ve had on passwords, although maybe for slightly different reasons.
Burr’s 2003 National Institute of Standards and Technology password guidelines, while not necessarily bad ideas in themselves, led people to follow a lot of the same patterns when crafting passwords as the guidelines spread, thus giving a false sense of security while providing easy patterns for cracking. To be fair, I think we all regret plenty of things that happened in the early ’00s, as well as how seemingly good aspects of technology have come back to bite us over time, so it’s hard to fault him.
Anyway, raise your hand if the first letter of any of your passwords is capitalized, and it also ends in an exclamation point. Well, then at least it’s not as bad as “password” or “12345678” as tends to be the case on the yearly “worst passwords” lists, but adding in weird characters to make it “[email protected]” probably isn’t really doing anything but making it more difficult for you to remember.
Likewise, Burr’s suggestion of changing passwords relatively frequently likely did little more than push users to fall into lazy password habits rather than crafting something that’s actually difficult to crack. With all this in mind, he told the Wall Street Journal, “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” That admission comes shortly after the NIST released revised guidelines in June, doing away with much of what Burr suggested.
Now we just have to wait for all the websites and companies that won’t let you create a password without following some of these guidelines to get the memo. Then, we can all set about trying to find the most predictable possible way to turn the new rules into a set of patterns that will make it easier for our passwords to be cracked, because we’re all terrible at passwords. I look forward to the new guideline writers’ remorse in 14 years.
Want more stories like this? Become a subscriber and support the site!
—The Mary Sue has a strict comment policy that forbids, but is not limited to, personal insults toward anyone, hate speech, and trolling.—
Have a tip we should know? [email protected]