Believe it or not, based on a study of leaked data information, most people still use simple passwords like “123456,” “qwerty,” and even “password.” They do this in spite of the long-standing belief that internet passwords need to be complicated amalgamations of letters, numbers, and special characters.
Turns out that while having “password” as a password is still a dumb idea, that complicated string of characters isn’t all that smarter. And the guy who came up with that suggestion in the first place is now apologizing for it.
Bill Burr was a manager at the National Institute of Standards and Technology in 2003 when he created a guide on how to create passwords that were more secure than your average version. In the years since, whenever a site has required you to add an uppercase letter or a special character (@#!%), that’s based on what Burr had to say.
Over time, however, that strategy has been shown to be fairly ineffective, especially when compared to passwords that are just words strung together. The issue was best explained by the web comic XKCD, which showed how it would take a computer 550 years to guess a password of four words while a random string of characters would be figured out by a computer in around three days.
Now 73 and retired, Burr is coming forward and publicly apologizing for giving people the false hope of a more secure password.
“Much of what I did I now regret,” Burr said to The Wall Street Journal. “In the end, [the list of guidelines] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Of course, considering how many people still use “google” as their password, perhaps he doesn’t have to apologize to as many people as he thinks.