Man who made passwords hard to remember regrets rules that 'drive people crazy'
Bill Burr is the reason most companies make you put numbers and punctuation marks in your passwords and change them every few months — and he's very, very sorry.
"The effect of the advice that I gave on passwords ... it wasn't what I had intended, and it tends to drive people crazy," Burr, 72, told As It Happens guest host Rosemary Barton.
"But on the other hand, I'm not the only one giving that kind of advice, so I don't deserve the entire blame for this."
- METRO MORNING: Are cryptic passwords the best choice?
- Are biometrics the answer to a safer online world? Not yet
About 15 years ago, Burr wrote information security guidelines for the U.S. National Institute of Standards and Technology. His section on passwords included instructions to fill them with numbers and characters and change them every three months.
The amount of pain it causes is not commensurate with the overall value of it.- Bill Burr, IT expert
Those guidelines have since been updated, but Burr's advice has spread over the last decade and become almost ubiquitous.
Many companies, including CBC, ask employees to change their passwords at regular intervals, and most websites won't let you sign up without including at least a capital letter and a number in your password.
But Burr said he never wrote those rules with regular people in mind. They were meant for security administrators.
"In any event, people wound up with a bunch of fairly complicated rules as a result of that, and relatively short password change intervals in their systems, and I say the net result is to drive people crazy and to get them to do dumb things, which don't improve their security at all," he said.
Dumb things like making your password "password1," then changing it to "password2," followed by "password3," and so on.
"Those things are pretty predictable and I probably should have anticipated, because that's what I've wound up doing, actually, in some cases," he said with a laugh.
Meanwhile, as people juggle dozens of complicated and ever-changing passwords, hackers have found more sophisticated methods of accessing them.
People use phishing schemes and other tricks to get passwords, or they install keyboard loggers on computer systems and steal them. Sometimes, hackers use powerful computers to target systems and steal massive password files.
"The amount of pain it causes is not commensurate with the overall value of it, which is not as great as you might think, because there are so many ways of attacking passwords that have come to the forefront now where it doesn't matter how good the password is," Burr said.
- Hackers can record everything on some wireless keyboards
- Why we keep falling for online phishing scams
So what does Burr recommend in this era, where passwords have become untenable, but cybersecurity is more important than ever?
Burr said he prefers phrases from literature. They're easier to remember, and if he forgets, he can look them up.
"There's no perfect answer here. Passwords, we're stuck with them," Burr said. "You have to find something that works for you, and different things work for different people."