The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
Adam Clark Estes
Today 2:45pm

We’ve all been forced to do it: create a password with at least so many 
characters, so many numbers, so many special characters, and maybe an uppercase 
letter. Guess what? The guy who invented these standards  nearly 15 years ago 
now admits that they’re basically useless. He is also very sorry.

The man in question is Bill Burr, a former manager at the National Institute of 
Standards and Technology (NIST). In 2003, Burr drafted an eight-page guide on 
how to create secure passwords creatively called the “NIST Special Publication 
800-63. Appendix A.” This became the document that would go on to more or less 
dictate password requirements on everything from email accounts to login pages 
to your online banking portal. All those rules about using uppercase letters 
and special characters and numbers—those are all because of Bill.

The only problem is that Bill Burr didn’t really know much about how passwords 
worked back in 2003, when he wrote the manual. He certainly wasn’t a security 
expert. And now the retired 72-year-old bureaucrat wants to apologize.

“Much of what I did I now regret,” Bill Burr told The Wall Street Journal 
recently, admitting that his research into passwords mostly came from a white 
paper written in the 1980s, well before the web was even invented. “In the end, 
[the list of guidelines] was probably too complicated for a lot of folks to 
understand very well, and the truth is, it was barking up the wrong tree.”

Bill is not wrong. Simple math shows that a shorter password with wacky 
characters is much easier to crack than a long string of easy-to-remember 
words. This classic XKCD comic shows how four simple words create a passphrase 
that would take a computer 550 years to guess, while a nonsensical string of 
random characters would take approximately three days:

Image: XKCD (published under a Creative Commons 2.5 license)

This is why the latest set of NIST guidelines recommends that people create 
long passphrases rather than gobbledygook words like the ones Bill thought were 
secure. (Pro tip: Use this guide to create a super secure passcode using a pair 
of dice.)

Inevitably, you have to wonder if Bill not only feels regretful but also a 
little embarrassed. It’s not entirely his fault either. Fifteen years ago, 
there was very little research into passwords and information security, while 
researchers can now draw on millions upon millions of examples. Bill also 
wasn’t the only one to come up with some regrettable ideas in the early days of 
the web, either. Remember pop-ads, the scourge of the mid-aughts internet? The 
inventor of those is super sorry as well. Oh, and the confusing, unnecessary 
double slash in web addresses? The inventor of that idea (and the web itself) 
Tim Berners-Lee is also sorry.

Technology is often an exercise of trial and error. If you get something right, 
like Jeff Bezos or Mark Zuckerberg have done, the rewards are sweet. If you 
screw up and waste years of unsuspecting internet users’ time in the process, 
like Bill did, you get to apologize years later. We forgive you, Bill. At least 
some of us do.

[Wall Street Journal]

Infowarrior mailing list

Reply via email to