While working for the National Institute of Standards and Technology in 2003, Bill Burr wrote “NIST Special Publication 800-63. Appendix A” — a document that included the widely adopted recommendation that strong passwords should include a range of characters and should be changed every 90 days.
“Much of what I did I now regret,” Burr, 72, told the Wall Street Journal in a recent interview, adding that the recommendation made for complicated passwords.
“It just drives people bananas and they don’t pick good passwords no matter what you do,” he said.
A re-write of “Special Publication 800-63” in June changed the guidelines. It now suggests that users create passwords with long, easy-to-remember phrases and should not be forced to change their passwords as frequently. Some studies have shown that passwords that include four words can be harder to crack than a smaller combination of characters, the Journal reported.