Author of password rules admits his mistakes


Bill Burr apparently is the source of many current day password rules. These rules are nothing but arbitrary and annoying. Most often, they seem to encourage worse password management. Rather than people having a strong password, they need to write down passwords to keep track of nonsensical rules that force constant change. Often these passwords are stored in an unencrypted document or just written next to a computer, they can be easy pickings for someone looking to compromise a system.

The Wall Street Journal

Bill Burr's 2003 report recommended using numbers, obscure characters and capital letters and updating regularly--he regrets the error

The man who wrote the book on password management has a confession to make: He blew it.
The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.

The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn't keep the hackers at bay.

Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark--a finger-twisting requirement.

"Much of what I did I now regret," said Mr. Burr, 72 years old, who is now retired.

The best solution is to use password management software, such as 1Password. Even still I often find very strong passwords get rejected by automated password enforcement based on these rules, which is incredibly annoying.