Pop culture obsessives writing for the pop culture obsessed.

Guy who invented complicated passwords admits they’re bullshit

(Photo: Leon Neal/Getty Images)

If you’ve also spent an unreasonable amount of time resetting passwords because you’ve forgotten which exact string of numbers, letters, and special characters unlocks this or that account, you have Bill Burr to thank. No, not that one—the Bill Burr who once worked for the National Institute of Standards and Technology. As a midlevel manager in 2003, Burr wrote “NIST Special Publication 800-63. Appendix A,” from which virtually every company’s—tech or otherwise—password policy was crafted. In the 14 years since, online users have had to come up with increasingly complicated passwords that they’ve then had to scrap as soon as they’ve memorized them, because the recommended 90-day period had passed—all under Burr’s advisement that this was the best way to keep our info secure, since we all know not going online is hardly an option.

But, as Burr now notes, he wasn’t a security expert when he wrote that 8-page document in 2003. He tells The Wall Street Journal that his background included programming Army mainframe computers during the Vietnam War, which he wanted to apply to cybersecurity in his position at NIST. But there was actually very little research available, aside from a 20-year-old “white paper” on passwords, which is what he based his own paper on, in part. Now Burr admits that “it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” “No shit,” you say. But Burr is really apologetic about that document becoming doctrine: “Much of what I did I now regret.”


Aside from getting our pound of flesh from a retired septuagenarian, there are new recommendations coming from NIST. The organization has actually started “from scratch” on new guidelines which recommend “long, easy to remember phrases” over the caret-filled gibberish you’ve been storing in a password manager. Additionally, you don’t have to start over every 90 days; you really only have to change your password if you have reason to believe it’s been stolen.

[via Gizmodo, which, like The A.V. Club, is owned by Univision Communications.]

Share This Story