There’s nothing more infuriating than a website telling you your password isn’t good enough for them. I seethe with a thousand furies whenever the red text pops up to tell me that I must have at least one capital letter and a bunch of numbers. Go directly to Hell.
These password standards were introduced nearly 15 years ago and the bloke who invented them has a message for you; he’s very sorry.
His name is Bill Burr, a former manager at the National Institute of Standards and Technology (NIST). Way back in 2003, Billy boy wrote up an eight-page guide on how to secure passwords called the “NIST Special Publication 800-63. Appendix A.”
Unfortunately for you, this was the document responsible for the password requirements we have today. The ones about uppercase letters, numbers and special characters. The ones that make you piss tears each time you need to sign up for something.
It may surprise you to learn that Bill didn’t actually know much about how passwords worked back then and was never even an expert on security. In fact, most of his research around passwords came from a white paper written before the internet was a thing.
But hey, Bill’s retired now and he wants you to know that he’s bloody sorry.
“Much of what I did I now regret,” Burr told The Wall Street Journal. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Funnily enough, what a standard website would deem a “strong” password isn’t actually that strong at all. According to everyone’s favourite pal, maths, a shorter password containing a bunch of nonsensical characters is easier for a computer to crack than a collection of simple words.
The latter would take a computer 550 years to guess, but the pile of shitty letters and numbers would take only three days.
The latest NIST guidelines recommend you go with longer, easy-to-remember phrases for this very reason. They’re more secure and as a bonus, are easier to remember.
Poor Bill definitely meant well, and to be fair, there wasn’t a lot of password research floating around back in those days. At least he’s seen the error of his ways.
Just don’t do it again, Bill.