ImageGETTY IMAGESImageMuch of the advice given 16 years ago has proven to be problematic
The author of an influential guide to computer passwords says he now regrets several of the tips he gave.
Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols – so, for example, “protected” might become “pr0t3cT3d4!”.
The problem, he believes, is that the theory came unstuck in practice.
Mr Burr now acknowledges that his 2003 manual was “barking up the wrong tree”.
He disclosed his views in an interview with the Wall Street Journal.
Current guidelines no longer suggest passwords should be frequently changed, because people tend to respond by making only small alterations to their existing passwords – for example, changing “monkey1” into “monkey2”- which are relatively easy to deduce.
Furthermore, it has been demonstrated that it takes longer for computers to crack a random mix of words – such as “pig coffee wandered black” – than it does for them to guess a word with easy-to-remember substitutions – such as “br0k3n!”.
Mr Burr’s original advice was distributed by the US government’s National Institute of Standards and Technology.
It has since been amended several times, with the most recent edition being released in June.
“Anything published under the Nist banner tends to be influential, so these guidelines have had a long lasting impact,” said Prof Alan Woodward, from the University of Surrey.
“But we’ve known for some considerable time that these guidelines actually had a rather unfortunate effect.
“For example, the more often you ask someone to change their password, the weaker the passwords they typically choose.
“And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems.”
Britain’s National Cyber Security Centre issued its own guidance on the matter in 2015.
It recommended that organisations abandoned a policy of pushing their users into regular password resets, and that they should support the use of password managers – programs that securely store hundreds of different logins, avoiding the need to memorise each one.
“It’s good that password advice is now being updated to be based on evidence,” said Dr Steven Murdoch, from University College London.
“But there is still traditional advice in other areas of computer security being perpetuated despite us knowing it won’t work.
“We need research to tell us what security advice will actually improve the situation, and for the government and companies to pay attention to results.”