Bill Burr, the man credited with creating universal password protocols, has admitted that the advice he gave 14 years ago might be wrong.
Burr published password guidance back in 2003, during his time with the National Institute of Standards Technology (NIST), stating that passwords should be a complex combination of letters, digits and symbols, and be changed every 90 days.
The passwords, he suggested, could include these three elements by substituting letters for the symbols and digits. For example, ‘password' could become ‘pa$$w0rd'.
Despite his manual often be referred to as ‘the password bible', Burr has now suggested in an interview with the The Wall Street Journal that his advice could have may have been wrong.
"Much of what I did I now regret," he said. "It just drives people bananas and they don't pick good passwords no matter what you do."
Part of the problem, Burr explained, is that when people change their password after 30 days they often just alter one character - which is relatively easy for hackers to work out.
Change of plan
Burr is not alone in having a change of heart.
Current password guidelines suggest using a longer passwords of four or more words, or phrases familiar to the user, which are harder to crack than shorter combinations of words, numbers and symbols.
The UK's National Cyber Security Centre (NCSC) last year endorsed a simplified password approach, claiming that passwords should not be randomly generated by an employer for its end-users and should not be changed regularly without reason.
NCSC guidance explains that, while changing passwords to a new random combination of words is manageable for users in the short term, they will quickly run out of ideas and revert back to something familar and less secure - or will simply change one character of the password.
Carl Gottlieb, boss at security consultancy Cognition told CRN that cybersecurity specialists have been encouraged by the NCSC breaking away from traditional password protocols.
"People have started to say ‘look you're making passwords too difficult'," he said. "When the NCSC came out with their updated advice everyone was really pleased to hear them say that because it's real-world and practical.
"If you talk to most people they're still surprised to hear you say 'don't use complex passwords and don't change them that often', because it feels instinctively right to do that.
"If you try and think what the value of changing your password regularly is, it's hard to find the rationale for why it was the advice. If you think it's so that someone who gains access to your computer can only have it for a month, they'll just change the password. It just doesn't really stack up."
Gottlieb said the password management software is becoming a more common way of keeping passwords secure. This method is endorsed by NCSC.
He added, however, that the cybersecurity industry can itself be guilty of overcomplicating password security - arguing that a method as simple as having a logbook of passwords, kept in a secure place, can be as effective as any other method in certain situations.
"If someone is going to steal your passwords, how are they going to do it?" he said.
"It might be from a key logger, it might be via email, it might be phishing… is it going to be by breaking into your house and looking at a piece of paper on your desk?
"If you think about the real risk around passwords, perhaps it is someone getting the one password you use for everything.
"If you have a different password for every website and you write them down in a log book then you don't have to worry about any complicated password management software. You just keep the log book safe at home."
The advice to not change passwords regularly was also endorsed by Microsoft last year after the vendor released a 19-page advisory document to IT administrators and users.
Microsoft said that users should also not be forced to meet character-composition requirements (for example having to include one number and one symbol in a password) because users will typically fall into recognisable patterns (substituting an ‘s' for ‘$' and adding a '1' to a password, for example).
The document also suggested using two-factor authentication - where a code is sent to the user's advice to ensure it is them trying to log in to an account, not a hacker.
Online safety group Get Safe Online recommends only using passwords containing at least three random words, with upper and lower case letters optional based on the user's discretion.
It also discouraged users from picking passwords early connected to them, for example their mother's maiden name.
The advice above is starkly different to that giving at the turn of the Millennium. A Google search for ‘password best practices' returns a Symantec article as the second-placed search result.
The article was published in 2002 and alludes to a time when "cracking codes seems like science fiction", recommending that passwords include "no dictionary words, proper nouns or foreign words".
It goes on to dish out tips such as "users should avoid using conventional words as passwords" and "avoid regular words with numbers tacked onto the end", before recommending a complex list of character sets from which at least one character should be "included in every password".
The character sets it recommend selecting from were: Upper case letters; lower case letters; numbers; special characters such as $, ? and &; and alternative characters such as µ, £, Æ.
We pull out the key information from Big Blue's quarterly results
Telford-based firm moves into the Nordics with Getac
Desktop 3D printer shipments see first ever year-on-year decline
Wholesale AI integration should not mean ethical principles are compromised, Satya Nadella tells Inspire conference