Creator of password safety admits he got it wrong
The complicated and easily forgotten password filled with random numbers and symbols is the bane of many office workers' lives.
And now the technology guru who came up with the rules on safeguarding personal information 14 years ago has admitted that his guidance was wrong.
Bill Burr wrote what has become the "bible" on password security in 2003 while working for the US government.
It advised using capital letters, numbers and non-alphabetic symbols in passwords, in the belief that they would be more difficult to uncover.
* How to choose a strong password
* Google is trying to kill passwords
* 2016's most common passwords revealed
* The worst passwords of 2015
His advice has been widely adopted by internet security companies and IT departments.
It is responsible for tortuous phrases such as "P@55w0rd" or "Football123" to satisfy password forms, as well as workers having to create a new phrase every 90 days.
But computer experts say that instead of improving security, the combinations actually make systems less secure. Complex passwords are difficult to remember, they add, while users end up using the same one repeatedly on different websites, or writing them down on Post-it notes.
The introduction of numbers and symbols also fails to make passwords any less vulnerable to hackers. So-called "brute force" cyber attacks, in which a computer program cycles through every possible combination of characters to guess a password, are not slowed down by numbers or capital letters, but depend on how long a phrase is.
"Much of what I did I now regret," Burr, who is now retired, told the Wall Street Journal.
"In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."
He added that the advice to regularly change passwords was mistaken, since most people end up altering one character, such as changing from "qwerty1" to "qwerty2".
Requiring somebody to add a number and a capital letter to their password does not stop people using bad passwords such as a pet's name, but would simply mean that "fido" would become "Fido1".
Many passwords that do adhere to the complex requirements have ended up on lists of the most used phrases. Passwords including "Passw0rd" and "1qaz2wsx" are in the top 25.
Burr's guidelines have recently been updated to do away with the old rules. They now advise that people use long but easy-to-remember "passphrases".
Using "horsecarrotsaddlestable" would take one trillion years for a "botnet" cyber attack to crack, in contrast to a minute for "P@55w0rd".
- The Telegraph