And now the technology guru who came up with the rules on safeguarding personal information 14 years ago has admitted that his guidance was wrong. Even Burr himself now concedes they're a bad idea, according to the Wall Street Journal. In June, a new group at the NIST rewrote the guidelines, which dropped the 90-day expiration advice and also the requirement for special characters.
He says, for example, that users who did follow guidelines and change their password had a habit of only implementing slight changes that did nearly nothing to improve security. And so the National Institute of Standards and Technology has radically reworked its guidelines.
The gentleman who had us all changing passwords frequently and using odd character sequences now has regrets.
Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too hard to crack.
'It just drives people bananas and they don't pick good passwords no matter what you do'. "Because when people are forced to change passwords they don't really know what the new password should be".
Businesses should heed the new standards, using them to inform their corporate password policies. "Appendix A" which was basically a primer on how to protect your online accounts, says that he now regrets most of what he did.
European Union slaps new sanctions on Russian Federation over Siemens turbines to Crimea
This image taken on June 14, 2016 shows the new headquarters of the German engineering giant Siemens in Munich, Germany. The EU measures involve a freeze on their assets and travel bans.
He added that the recommendation to change the password regularly was also wrong, since most users change only one letter or number, which does not disturb the work of hackers at all.
The better solution could be to simply use a password with four random words, because the number of letters can be more hard to hack than a small combination of letters and special characters, the Journal reports.
People use phishing schemes and other tricks to get passwords, or they install keyboard loggers on computer systems and steal them. It also recommended a ban on password strength meters, mandatory resets, and predictable combinations. He had asked NIST's computer security experts for passwords as a case study, but they did not comply.
Do you need a password manager to keep track of all your obscure, special character-filled and lengthy passwords necessary for various websites?
If the man who invented those pesky password rules himself says that he might have made a mistake, then you should think twice about all those password management that you've gotten used to following.