Developer of secure password rules regrets his work

09 Aug 2017

Bill Burr, a former manager at the National Institute of Standards and Technology (NIST), who drafted an eight-page guide on how to create secure passwords, called the ''NIST Special Publication 800-63. Appendix A'' today regrets having done so.

The document went on to define password requirements on everything from email accounts to login pages to online banking portal. Blame the annoying rules about using uppercase letters and special characters and numbers to Burr.

Burr had little idea of how passwords worked back in 2003, when he wrote the manual. He was not a security expert, and the 72-year-old bureaucrat is now apologising for what he has done.

''Much of what I did, I now regret,'' Burr told The Wall Street Journal recently, given that his research into passwords mostly came from a white paper written in the 1980s, long before the web was even invented. ''In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.''

But Burr is not wrong, as shorter passwords are easier to crack than a long string of easy-to-remember words. A combination of four simple words can create a passphrase that would take a computer 550 years to guess, while a nonsensical string of random characters would take approximately three days.

Burr wanted to base his guidelines on real world data, but not much data was available at the time. He also tried to get IT administrators at NIST to allow him to look at the passwords on the network, but they would not, over security concerns.

With little to go by, Burr had to rely heavily on a white paper written in the 1980s. The document was written well before the public had access to the internet and it was also a time when cybercrime, as we know it now did not exist.