Creator of password safety admits he got it wrong


The complicated and easily forgotten password filled with random numbers and symbols is the bane of many office workers' lives.

And now the technology guru who came up with the rules on safeguarding personal information 14 years ago has admitted that his guidance was wrong.

Bill Burr wrote what has become the "bible" on password security in 2003 while working for the US government.

It advised using capital letters, numbers and non-alphabetic symbols in passwords, in the belief that they would be more difficult to uncover.

How to choose a strong password
Google is trying to kill passwords
2016's most common passwords revealed
The worst passwords of 2015

His advice has been widely adopted by internet security companies and IT departments.

It is responsible for tortuous phrases such as "P@55w0rd" or "Football123" to satisfy password forms, as well as workers having to create a new phrase every 90 days.

But computer experts say that instead of improving security, the combinations actually make systems less secure. Complex passwords are difficult to remember, they add, while users end up using the same one repeatedly on different websites, or writing them down on Post-it notes.

The introduction of numbers and symbols also fails to make passwords any less vulnerable to hackers. So-called "brute force" cyber attacks, in which a computer program cycles through every possible combination of characters to guess a password, are not slowed down by numbers or capital letters, but depend on how long a phrase is.

Passwords should be long and easy-to-remember, and only need to be changed when there is sign of a breach.

Passwords should be long and easy-to-remember, and only need to be changed when there is sign of a breach.

"Much of what I did I now regret," Burr, who is now retired, told the Wall Street Journal.

"In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree."

He added that the advice to regularly change passwords was mistaken, since most people end up altering one character, such as changing from "qwerty1" to "qwerty2".

​Requiring somebody to add a number and a capital letter to their password does not stop people using bad passwords such as a pet's name, but would simply mean that "fido" would become "Fido1".

Many passwords that do adhere to the complex requirements have ended up on lists of the most used phrases. Passwords including "Passw0rd" and "1qaz2wsx" are in the top 25.

Burr's guidelines have recently been updated to do away with the old rules. They now advise that people use long but easy-to-remember "passphrases".

Using "horsecarrotsaddlestable" would take one trillion years for a "botnet" cyber attack to crack, in contrast to a minute for "P@55w0rd".

Ad Feedback

 - The Telegraph


Ad Feedback
special offers
Ad Feedback