Everything You Know About 'Secure' Passwords Is Wrong

News
By Andrew E. Freedman
published

A lot of the advice you've received about passwords over the last 14 years was wrong, says the man who came up with most of it.

A lot of the advice you've received about passwords over the last 14 years was wrong, says the man who came up with most of it.

Bill Burr, formerly of the National Institute of Standards and Technology, now says that his 2003 guide on creating strong, secure passwords could actually make you more vulnerable to hacking.

Credit: designer491/Shutterstock

(Image credit: designer491/Shutterstock)

"Much of what I did I now regret," Burr, now 72 and retired, told the Wall Street Journal in an interview.

The document, "NIST Special Publication 800-63. Appendix A," was an 8-page guide to creating passwords, though the suggestions were easy to guess and ultimately led to lazy security practices. The advice led users to insert obvious special characters in place of letters (like using a dollar sign instead of an "s"), tossing in a few numerals and potentially unexpected capital letters. (The original recommendations are pages 46-54 on this archived document.)

Following this guidance, one might create a password like "P@sswrD1!" that looks complex but is easy to guess, thanks to such common substitutions. Burr also wrote that users should change their passwords every 90 days, but that led user to make only small, incremental changes, like updating to "P@sswrd2!" or something equally easy to guess and lulling users into a false sense of security.

New NIST guidelines by advisor Paul Grasssi did away with Burr's rules completely, including requirements for special characters and changing after a specific mount of time.

You can find our own guide to creating safe, strong passwords here. We recommend using at least 15 characters in your passwords, as stronger computers can crack shorter passcodes quickly, as well as using upper-case and lower-case letters, special characters and numbers. Don't use the same password in two places (especially with the same user name or email address) and store them all in a password manager.

"In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr said. But it's never too late to start with strong security practices.

Andrew E. Freedman
Andrew E. Freedman

Andrew E. Freedman is an editor at Tom's Hardware focusing on laptops, desktops and gaming as well as keeping up with the latest news. He holds a M.S. in Journalism (Digital Media) from Columbia University. A lover of all things gaming and tech, his previous work has shown up in Kotaku, PCMag, Complex, Tom's Guide and Laptop Mag among others.