A sincere mea culpa in IT? His password policies drove us all crazy for years. Now, he’s sorry

Click to read the new NIST standards (you probably don’t want to).

Everything you know about passwords is wrong. But then, you probably knew that.

I’ve been harping on the various exercises in futility that is password setting for some time. Most recently, I talked about password patterns —  how we all use them, and how they make life easy for would-be crackers.  So RoseBud1, RoseBud2, RoseBud3 actually isn’t safe — and neither is RoseBud!1, RoseBud!2, etc.

Even worse, password policies that force employees to change passwords frequently are often the direct cause of password patterns.  They force workers to come up with too many passwords, and all but the most obsessive among us are driven to use patterns in order to stay sane.

We certainly aren’t driven to use passwords that are “safer.” Even those password checkers that many sites employ are at least useless and at worse make passwords less secure.  They, too, encourage patterns like the random inclusion of an exclamation point. (See “Passwords that kill at Insedia.com)

Well, finally, thanks to a fantastic story by Robert McMillan at the Wall Street Journal this week, frustrated password setters can all feel a bit vindicated. The rules for setting “modern” passwords are all wrong, says the man who wrong the rules about 15 years ago.  Bill Burr created them for the National Institute of Standards and Technology, but don’t blame him, either. He was just using the latest research to make some suggestions. Sadly, there was no research.

“Much of what I did I now regret,” Burr told McMillan in a refreshing moment of honesty rarely seen in the tech world.

Burr had very little to go on when the rules were published in 2003, and he never claimed them as gospel.  But put rules in front of some managers and you know what you get.


Even though many of the rules were soon regarded as folly — heck the Federal Trade Commission even wrote a post saying that frequent password changes were a bad idea — rules are rules, and many people really like enforcing rules.

So it’s great that NIST has finally changed the rules.  They’re much simpler, and more effective.  Passwords should be long, NIST says. The longer, the more likely to be unique. And…that’s about it. At least as far as users are concerned. (The password rules put more burden on the authenticator, and less on the user, which is smart. You can read more here.)

So, go change your password to something long like correcthorsebatterystaple (Don’t use THAT. Pick your own four random words.  Ok, don’t pick them yourself, find a random word generator to do it. But you get the idea, hopefully.)

As for how often should you change your passwords?  Well, I asked a bunch of security pros that question a few years ago, and their answers will probably surprise you.



Just how often *should* you change your passwords? Surprise…






Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1638 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.