Password Safe, an open source site, reminds users that "Security starts with you".
"Much of what I did I now regret", Bill Burr, a 72-year-old retired former manager at the National Institute of Standards and Technology told the Wall Street Journal. "Appendix A." Now the man who wrote them says he was mostly wrong.
The document's advice, that passwords should be made of irregular capitalisations, numbers and special characters, was widely adopted by everything from banks to government bodies. The problem with these recommendations is that they prompt users to create passwords that are still easy to compromise - swapping out certain letters with special characters and capitalizing some letters within a password doesn't really do much to secure accounts against brute force attacks. In theory the best passwords look like complete gibberish, but they're obviously more hard to commit to memory.
The NIST has rewritten the guidelines, which scrap the special character advice with the recommendation that people use long phrases they can easily remember, but which still can't easily be guessed by algorithms.
"You are either going to remember one and use it everywhere - which is very bad practice - or write them down". Burr also wrote that users should change their passwords every 90 days, but that led user to make only small, incremental changes, like updating to "P@sswrd2!" or something equally easy to guess and lulling users into a false sense of security. It's tough to even agree on what makes a password strong in the first place, but most of the websites you'll visit probably recommend numbers, capital and lowercase letters, and probably a random symbol or two.
Burr is also among those authoring the new guidelines. For example, with current technology, experts have suggested something as simple as "correct horse battery staple", written together as a single word, could take up to 550 years to be cracked.
"We ended up starting from scratch", he said.
"Drop the password-expiration advice and the requirement for special characters", Grassi said.
According to Grassi, the widespread password outline spread by Burr "actually had a negative impact on usability".