Everything You Know About Passwords Is Wrong

Everything You Know About Passwords Is Wrong

You know the rules: change your password regularly and use a combination of capital letters, numbers and special characters. But what if those guidelines were ineffective — maybe even harmful? Well, the man who invented them seems to think so.

Many of those rules came about because of a National Institute of Standards and Technology (NIST) password primer written up in 2003 by Manager Bill Burr. Of course, the rules recommended by Burr in that document have been adopted as password best practices for much of the digital world. But Burr is now recanting those recommendations. “Much of what I did I now regret,” Burr recently told the Wall Street Journal. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”

The NIST is now revising its rules, including recommending a password change only if a security breach has occurred. Its reasoning is that incremental password changes aren’t useful — changing it from “passw0rd1” to “passw0rd2” isn’t going to thwart any hackers. In fact, simple changes like that (which all of us are prone to) can actually harm security. If you do end up being required to change your password, choose something completely different from your last one.

The standards group is also nixing its recommendation of using a mix of special characters, upper and lower case letters, and numbers for passwords. What Burr and the NIST found is that these arbitrary restrictions tend to foster less secure passwords overall, and they had a “negative impact on usability,” according to Paul Grassi, who helped to rewrite Burr’s password primer. Instead, the NIST now thinks you should use long “passphrases.” These tend to be easier for most users to remember and would much longer for a hacker to brute force than a shorter one — even one that uses obscure characters. You can view the full revised draft of NIST guidelines here.

Read Next: