Creating a new password for an online account or app is an exercise in pure frustration. The increasingly complicated requirements are enough to make you pull your hair out, and just when you think you’ve nailed a decent login, you’ll probably be forced to change it in a month anyway. Now, Bill Burr, the man largely responsible for modern password guidelines, is coming forward to say he’s incredibly sorry for the monster he’s created.

In 2003, Burr wrote up a series of password security guidelines for the National Institute of Standards and Technology. The paper, which lives today as “NIST Special Publication 800-63 Appendix A,” is a lengthy explanation of why non-standard words with random characters, capital letters, and a sprinkling of numbers should be considered the default for digital passwords.

Burr’s stance on the entire situation has changed quite a bit since then, and in a recent interview with the Wall Street Journal he admits that he approached the issue in the wrong way. “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” the 72-year-old Burr now says. “It just drives people bananas and they don’t pick good passwords no matter what you do.”

Pushing people to secure their accounts with unique and private logins is always a good move, but the result of Burr’s writing and the subsequent adoption of the complex password systems is that most people just pick something short and memorable that satisfies the criteria, making them easy targets for brute force hacks.

“Much of what I did I now regret,” Burr says. That’s definitely something you don’t want to hear from someone who influenced the security of your online bank account and medical records.

View Comments