The man who wrote those password rules has a new tip: N3v$r M1^d!

“The man who wrote the book on password management has a confession to make: He blew it,” Robert McMillan reports for The Wall Street Journal.

“Back in 2003, as a midlevel manager at the National Institute of Standards and Technology, Bill Burr was the author of ‘NIST Special Publication 800-63. Appendix A.’ The 8-page primer advised people to protect their accounts by inventing awkward new words rife with obscure characters, capital letters and numbers—and to change them regularly,” McMillan reports. “The document became a sort of Hammurabi Code of passwords, the go-to guide for federal agencies, universities and large companies looking for a set of password-setting rules to follow.”

“The problem is the advice ended up largely incorrect, Mr. Burr says. Change your password every 90 days? Most people make minor changes that are easy to guess, he laments. Changing Pa55word!1 to Pa55word!2 doesn’t keep the hackers at bay,” McMillan reports. “Also off the mark: demanding a letter, number, uppercase letter and special character such as an exclamation point or question mark—a finger-twisting requirement. ‘Much of what I did I now regret,’ said Mr. Burr, 72 years old, who is now retired.”

McMillan reports, “In June, Special Publication 800-63 got a thorough rewrite, jettisoning the worst of these password commandments.”

Read more in the full article here.

MacDailyNews Note: The National Institute of Standards and Technology revised Special Publication 800-63 can be found here.

Always use unique passwords and use Apple’s Keychain Access and iCloud Keychain to create and manage them. For those of us who are smartly all-Apple, it works like a dream.


  1. Yes! Appreciate the mea culpa. The forced 90 day change is maddening and self defeating. If you use a really good password you should not need to change it very often.

    I find that taking the first letter of words used in a phase or sentence I make up that is unique to me is most effective. Sometimes I’ll use a foreign language. For example (and I liberated this phrase from the new guidelines), “On the internet, nobody knows you’re a dog” becomes “otinkyad”. No weird characters and no caps needed. Yet it is reasonably effective as it is hard to guess.

  2. One difficulty that we often face is having to devise passwords to suit the requirements of the particular web site that we’re using. Some leave it entirely up to you, while others demand six or eight characters, sometimes including upper case, lower case and numeric characters. For many of us, the only practical solution is a password manager, but that too has it’s drawbacks.

  3. What a quandary. Strong passwords are great, except everybody forgets them, so they write them down on paper or have to continually reset them costing time and money. I guess it is still better than weak ones….

  4. Pick an unexpected word and M@k3_iT a little funky. Pretty fool proof in my book. They have to guess the word AND how you changed it, to which there might be thousands of possibilities . . . . start with something unpredictable and I think you’re in good shape if you tweak it.

    1. Some of my past favorites:

      Yeah, I’m not impressed with places that want me to change it every 30-90 days. So I make the best of it. 🙂

    1. @mikepl:

      Yes, you’ve got it right. When it comes to passwords, size matters! Password hacking attempts always begin with the website’s or app’s minimum character length and scale up the number of characters from that point.

      The ridiculous requirements of capital letters, special characters, etc. is a stupid approach, and I have been saying this for years to everyone — including my employer.

      Option 1: let us use passphrases such as “yesterday all my troubles seemed so far away” would be quick to type, difficult to guess, hard to forget, and require a long time to ascertain via a brute force attack as it’s 44 characters in length (including spaces, excluding the quotation marks).

      Option 2: let us use compounded passwords. Say your dog was born in 2010 and his name is Snoop. Use this info to create “snoop2010snoop2010”, which is 18 characters in length. Even this password would be better than “kx9Ztg15”, which has only 8 characters yet most humans would undoubtedly forget — and then have to reset to another equally idiotic and hard to remember password.

      Option 3: expand the use of Touch ID. This technology works so well for things such as unlocking your iPhone and making Apple-related purchases, as well as other services like Bank of America’s iOS app.

      If only those who set password policies at companies would pay attention…

  5. And how, precisely, does the general public’s inability to stay on top of their security reflect in any way on what was proposed? Weak. The fact of the matter is, the vast majority of people are not technophiles, and no matter how much noise Silicon Valley pundits make, they never will be. They are just going to have to deal. It would be great if most services actually considered their users first instead of a million ways to cover their own asses. The average TOS is basically the same abdication of responsibility for anything and everything. They do not have my sympathy.

    1. A few years ago, however, I counted at least seventeen different logins involving different rules (lengths, special characters or not, and differing refresh intervals). And that was just at work!

      That is a stupid way to handle computer security. Even now, years later, the progress towards a standard login using two-factor authentication is slow.

    1. 1. Fact: That is a password that very humans would be able to remember.
      2. Fact: If your app was not working for some technical reason (say the new version has a bug), would you really want to type that mess of a password exactly?
      3. Fact: 1Password has previously been breached.

      The executive summary is therefore:
      1. FAIL
      2. FAIL
      3. FAIL

  6. Can’t STAND being required to change a password every 90 days. No one is going crack the 20+ character gibberish I use, and if the pw is stolen, changing it even a week from now won’t help; the damage will have already occurred.

  7. It’s OK NIST! I ignored you anyway. I already knew #MyStupidGovernment was particularly stupid when it came to computer security.

    Reference: The Chinese hacking of US government systems from 1998 until 2007 without admission or acknowledgement.

    Oh and the 2015 thorough PWNing of the US Office of Personnel Management, again by China, to the tune of an estimated 21.5 million citizen records stolen, including the records and fingerprints of 4.2 million current and former federal employees.


  8. At work we used to be required to change our passwords every 30 days (later changed to 90 days, then I retired so I have no idea what it is now). I had a post-it note on the edge of my monitor with ONE LETTER written on it… actually several letters but all crossed out except the last one.

    From that one letter I could easily generate my password. So could anyone else who knew what system I used (which was nobody). But without that knowledge, what was effectively a one-letter public password was just as secure as most other people’s passwords.

    The worst I’ve seen was a site that took all the old NIST guidelines… inverted. Had to be all lower case, had a short maximum length, no special characters, no spaces… all done, the site assured us, in the name of security.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.