As It Happens

Man who made passwords hard to remember regrets rules that 'drive people crazy'

Bill Burr is the reason most companies make you put numbers and weird characters in your passwords and change them every few months — and he's very, very sorry.
IT expert Bill Burr wrote the guidelines around passwords that have become standard policy in the tech world. (Bill Burr)
Listen6:05

Story transcript

Bill Burr is the reason most companies make you put numbers and punctuation marks in your passwords and change them every few months — and he's very, very sorry.

"The effect of the advice that I gave on passwords ... it wasn't what I had intended, and it tends to drive people crazy," Burr, 72, told As It Happens guest host Rosemary Barton.

"But on the other hand, I'm not the only one giving that kind of advice, so I don't deserve the entire blame for this."

About 15 years ago, Burr wrote information security guidelines for the U.S. National Institute of Standards and Technology. His section on passwords included instructions to fill them with numbers and characters and change them every three months.

The amount of pain it causes is not commensurate with the overall value of it.- Bill Burr, IT expert 

Those guidelines have since been updated, but Burr's advice has spread over the last decade and become almost ubiquitous.

Many companies, including CBC, ask employees to change their passwords at regular intervals, and most websites won't let you sign up without including at least a capital letter and a number in your password.

Do all those numbers and punctuation marks in your passwords actually make them stronger? The man who first recommended putting them there is not so sure. (CBC)

But Burr said he never wrote those rules with regular people in mind. They were meant for security administrators.

"In any event, people wound up with a bunch of fairly complicated rules as a result of that, and relatively short password change intervals in their systems, and I say the net result is to drive people crazy and to get them to do dumb things, which don't improve their security at all," he said.

Dumb things like making your password "password1," then changing it to "password2," followed by "password3," and so on.

"Those things are pretty predictable and I probably should have anticipated, because that's what I've wound up doing, actually, in some cases," he said with a laugh. 

The rules of passwords have become more trouble than they're worth, says the man largely responsible for inventing them. (Kacper Pempel/Reuters)

Meanwhile, as people juggle dozens of complicated and ever-changing passwords, hackers have found more sophisticated methods of accessing them. 

People use phishing schemes and other tricks to get passwords, or they install keyboard loggers on computer systems and steal them. Sometimes, hackers use powerful computers to target systems and steal massive password files. 

"The amount of pain it causes is not commensurate with the overall value of it, which is not as great as you might think, because there are so many ways of attacking passwords that have come to the forefront now where it doesn't matter how good the password is," Burr said. 

So what does Burr recommend in this era, where passwords have become untenable, but cybersecurity is more important than ever?

"Pick a reasonable password and use two-step authentication for things that really matter a lot. For things that don't matter so much, maybe not," he said. 
If hackers want to steal your passwords, they have more sophisticated methods than just guessing. (Sean Kilpatrick/Canadian Press)

Burr said he prefers phrases from literature. They're easier to remember, and if he forgets, he can look them up. 

"There's no perfect answer here. Passwords, we're stuck with them," Burr said. "You have to find something that works for you, and different things work for different people."

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.