Report: Widely Adopted 'Password Rules' May Actually Backfire

John Lister's picture

The man behind some of the most commonly held advice on creating passwords says he was wrong on several points. Bill Burr says the real problem with his tips were that they led to predictable behavior.

Burr's advice came in a short 2003 document produced by the National Institute of Standards and Technology. Because of the institute's prestige, the advice was widely adopted and cited, with both employers and sites often insisting that passwords meet the guidelines. (Source:

Mix of Characters Hard to Remember

One part of the advice was to use a mix of capital letters, lower case letters, numbers and symbols rather than just ordinary letters. The logic behind that was that this would mean more possible passwords, making them harder to guess.

To some extent this was correct: the advice meant people didn't just use single words that allowed a relatively quick automated attack that simply tried every word in the dictionary. Instead such 'brute force' attacks meant trying every possible combination of characters, a longer process.

The problem with that advice is that such passwords are harder to remember, meaning people prefer shorter passwords. However, password length arguably has more of an effect than adding in symbols and numbers. That's because even if you simply make a password one letter longer, it makes the number of possible combinations - and in turn the time to crack it - 26 times bigger. (Source:

Regular Changes a Mixed Blessing

Burr's other point of regret is that he advised users to change their passwords every 90 days. That certainly had some merit as it reduced the risk that a stolen or leaked password would still be valid when a hacker came to use it.

The problem is that regularly changes made it even harder for people to remember passwords, pushing them to fall back on predictable phrases or making only minor changes to their password to satisfy the requirements of their employer's system.

To be fair, one of the reasons his advice has dated is that people today have many more passwords to remember than was the case 14 years ago. That makes it virtually impossible to remember passwords for every site while still following the guidelines about using numbers and symbols, let along changing them regularly.

That's why many people today use password vaults which generate long and unpredictable passwords that the user doesn't need to remember. Many users also take a hybrid approach, using lengthy but memorable passwords for their most important and sensitive accounts and then using generated passwords or variations on a common phrase for other sites.

What's Your Opinion?

Do you believe Burr's original advice is still valid or relevant? What password guidelines do you follow yourself? Is the concept of a password outdated today?

Rate this article: 
Average: 4.8 (9 votes)


Dennis Faas's picture

There is no way to remember unique passwords for all the sites I visit (as noted in the above article), which is why I use my fingerprint reader and Roboform to login to websites. Its password generator gives me passwords like this: S^NbxNc0Q%Dq$VpD, which make it near impossible to crack using a bot, plus if one my passwords is compromised, the rest are safe.

scowei's picture

Over time, I have made my logins more and more secure. The big move was to LastPass and over time, my hundreds of passwords are all unique, as with the one you cite. Works on mobile too, albeit with some pain in the butt factor. But worth it.

Any site that allows 2-factor, I sign up for that. (LastPass itself does).

Finally, I froze access to all of my credit agencies to limit the financial damage should a breach occur.

Not sure about the fingerprint thing. As of now, I feel like I'm secure outrunning a friend if a bear is chasing you, hopefully hackers would move on to an easier target.

jimain's picture

Before password management aps, I developed an encrypted spreadsheet that provides passwords, PINs, website addresses, renewal dates, and other relevant info. Up to 708 entries now, in Excel 2016 grown up from 1997 version. I use it 3 or 4 times a day, painlessly on my desktop and occasionally in the cloud. With that many passwords, I've been thru the pain of creating names while meeting website criteria. Advice: determine your criteria and implement them.

nate04pa's picture

I have been using a password program that generates random passwords and stores them in an encrypted file. I began with a length of 12 characters but have raised it to 14.

A bigger problem is sites that do not specify their password rules. Some sites don't accept "special characters". Others accept some but not all of these characters. Some require certain classes of characters.

If we just use upper case letters, lower case letters, and digits, that yields 62 possibilities for each character in the password. A 14-character password would have 62 raised to the 14th power possibilities. This is a very large number.

A much better scheme would be to allow for only a very small number of log in attempts before locking out whoever is trying to access the site. Up until the 2017 tax season, the tax software used by VITA and AARP volunteers allowed 3 log in attempts. If the correct password was not entered after 3 attempts, you were locked out until the site administrator unlocked the site and you had to use a new password. This kind of system would defeat any brute force attempt with even a relatively short password.

keffdoak2's picture

Which of the following two passwords is stronger,
more secure, and more difficult to crack?



The first one. Same search depth, but longer.

jimain's picture

Very clever!

keffdoak2's picture

The master password I use for LastPass is easy to remember, but the number of all possible passwords with this alphabet size and up to this password's length is 44,480,886,725,444,405,624,219,204,517,120

In a Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second)
It would take 1.41 hundred million centuries to try every possibility.

JeffRL's picture

Call me paranoid if you want, but I prefer the label "cautious". I don't trust password managers. Do we know they can never be hacked? If the director of the CIA can have his e-mail account hacked, what chance does a password manager have? Do we know if they phone home with a list of our passwords? We learned a couple of weeks ago that Roombas send the floor plans of your home or office back to the company.

I have a handwritten list of my various accounts and their usernames and passwords. It's *far* less likely that someone will break into my home and find the list than any of my accounts could be compromised online in some way, so I'm willing to take that chance.

Some passwords are more important than others. No offence, but my bank account is more important to me than my account on here. I have a simple, easy-to-remember password for accounts like this. The ones for my bank, e-mail, and such are more complex and I change them now and then, too.

swreynolds's picture

I don't think that complexity slows down a cracking program. I also don't think that passwords are broken by guessing (except for iterative guessing). The most effective passwords are the longest. You could make a long password out of a sentence and it wouldn't be broken in a reasonable amount of time. My acupuncturist's password is "Rover is a wonderful dog." It won't be broken by anything but a keylogger, as would any other password.

cmdrbozo's picture

Want to use a password manager, but thinking that the site might be hacked some time? Just store incomplete passwords, missing the last (or first) two (or three or four) characters that are always the same, and that you add manually.

dan400man's picture

I'm not that worried about a password manager that stays on my PC, including the database. (I use KeePass2, which is full-featured and open source.) However, I am extremely wary of putting that password database on my phone and whether malware can access it when it is opened, unencrypted for the legitimate app to use.

So, I thought the same thing as Cmdr. Bozo. Store the complicated password with something truncated at the beginning or end, then manually key in the truncated characters when it is pasted in a form's password field. The truncated characters could either be identical for every password in the database (i.e., your initials), or it might be a pattern in the database's stored password (i.e., the 1st, 3rd, and 5th characters in the stored password.