Bill Burr wrote the book on password management.
Now, he’s got some regrets.
His 2003 report for the National Institute of Standards and Technology recommended using numbers, obscure characters and capital letters and updating passwords regularly.
More than a decade later, the biggest argument against Mr. Burr’s prescriptions: They haven’t worked well.
Hackers have stolen and posted online hundreds of millions of passwords. Those postings have given researchers the data they need to take a hard look at how people’s passwords fare against the tools hackers used to break them.
Their conclusion? While we may think our passwords are clever, they aren’t.
New guidelines from the NIST drop the password-expiration advice and the requirement for special characters. Those rules did little for security—they “actually had a negative impact on usability,” said Paul Grassi, an NIST standards-and-technology adviser.