Bill Burr, the author of an influential guide to computer passwords, now says he regrets advising users to change their passwords every 90 days and to combine capital letters, numbers and symbols to create a strong password. He believes the problem is that his theory became “unstuck” in practice. Current guidelines no longer suggest passwords should be frequently changed, because people tend to respond by making minor alterations to their existing passwords — for example, changing “monkey1” to “monkey2” — which are relatively easy to figure out. Furthermore, it has been determined that it takes longer for computers to crack a random mix of words — such as “pig coffee wandered black” — than it does for them to guess a word with easy-to-remember substitutions, such as “br0k3n.” In the end, Burr’s advice some 20 years later is to create passwords that are unexplainable phrases, full of randomness, that make them easy to commit to memory and yet almost impossible for an automated system to make sense of.
