For 20 years, the standard advice for creating a “strong” password that is hard to crack has been to use a mix of letters, numbers and symbols.
It’s so ingrained that when you go to create a new email account you’ll frequently get praising or finger-wagging feedback from the computer on how well your secret code adheres to these guidelines.
And you’re supposed to change it every 90 days.
Now, the man who laid down these widely followed rules says he got it all wrong.
“Much of what I did I now regret,” Bill Burr, a 72-year-old retired former manager at the National Institute of Standards and Technology told the Wall Street Journal.
The result is that people create odd-looking passwords and then have to write them down, which is of course less secure than something you can memorize. Users also lean on common substitutions, like “zeroes” for the letter O, which a smart hacker could program their password cracker to look for. Or they pick one “base” password that they can memorize and only change a single number. That’s also not as safe.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr said.
The new password guidelines are both easier to remember, and harder to guess. The NIST’s revised tips say users should pick a string of simple English words — and only be forced to change them if there’s been evidence of a security break-in.