The person who invented the “Password Rule” feels sorry for wasting your time

About 15 years ago, a guy who named Bill Burr invented the “Password Rule” that we’ve forced to do such as;

  • Create a password with at least too many characters. For example “Please enter at least 8 characters or more”
  • So many numbers
  • So many special characters
  • And fill with uppercase, lowercase numbers and special characters etc.

is now admitting that all of the password rules are basically useless and feel sorry for all the people who’ve been doing this for years.

Bill Burr is a former manager of National Institute of Standards and Technology (NIST). Bill Burr composed an eight-page user manual on how to create secure passwords and greatly called it as the “NIST Special Publication 800-63.Appendix A” in 2003. This turned out as the document that would go for almost dictate password requirements of all that from email accounts to login pages to your online banking portal. Bill Burr is the main reason why all of those rules are using uppercase/lowercase letters and special characters and numbers.

Bill Burr is really lack of knowledge about how does passwords work when he created the manual way back 2003 and that is the only problem that he has. He is not really a security expert. The retired 72-years old administrator wants to sincerely apologize now for what he has done.

Recently, Bill Burr said to The Wall Street Journal “Much of what I did I now regret,”; also he added “In the end, all the list of guidelines was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.” as he admitting that his researches about passwords have mostly come from a whitepaper that was written on the 1980’s before the web was created.

Bill Burr was truly mistaken. Basic math presents that a shorter password with absurd characters is much effortless to crack than a lengthy string of easy-to-remember words.  A silly string of random characters would take almost three days while this classic XKCD comic demonstrates how four basic words create a passphrase that would take a computer 550 years to know. That is the reason why NIST’s current guidelines strongly recommends that users must learn to create long passphrase rather than meaningless words like the ones Bill thought were secure.

I’m sure you’re wondering if Bill Burr feels so regretful and embarrassed at the same time for what he have done but he’s not the only one who’s in fault in here. There was a mini research into passwords and information security 15 years ago. He’s not the only one to come-up with some distressing ideas in the primitive days of web. Do you remember the inventor of pop-ads, the curse of the mid-aught internet? He feels sorry too. And also do you remember the inventor of the complicated useless double slash in the web addresses and the web itself?  Tim Berners-Lee feels sorry too.

Generally, technology is practicing a trial and error. The reward that you deserve is given if you get something right, like Jeff Bezos or Mark Zuckerberg have done. However, if you screw up and waste years of internet innocent users’ time in the progress, like Bill Burr did, you have to apologize years later.