Skip to main content

Man responsible for strong password requirements regrets his 2003 guidelines

strong password
Image used with permission by copyright holder
The man responsible for your requirement to use a combination of lower-case letters, upper-case letters, numbers, and symbols in passwords at least eight characters long is now regretting his advice. Former National Institute of Standards and Technology manager Bill Burr recently admitted in an interview with The Wall Street Journal that his 2003 document about crafting strong passwords and changing them every 90 days was somewhat off the mark.

At the time, he said that users will choose an easily remembered, easily guessed password, and likely one stemming from a batch of “a few thousand commonly chosen passwords.” In turn, hackers trying to gain access to user accounts, computers, and so on would try the most likely chosen passwords first. But even though services would reject specific passwords given their common use, Burr suggested a more secure alternative.

Recommended Videos

On page 52 of the 2003 document, he clearly states that systems should rely on a password of eight characters or more that are selected from an alphabet of 94 printable characters. This password should also include at least one upper case letter, one lower case letter, one number, and one special character. Systems should even rely on a dictionary that prevents users from including familiar words and using their login name as the password too.

Please enable Javascript to view this content

The problem with this method is that users tend to have patterns when creating a password. For instance, they may take a familiar word, such as “password,” and alter it slightly to meet the requirements. The result could be something like P@zzwurd2017, which isn’t all that original, and something we conjured up in a matter of seconds.

Right now, systems give users a thumbs-up when they follow the current standard and even provide a visual measurement tool indicating the password’s strength against hacking. But then users are requested/forced to change their password every 90 days, thus they may use the same base word, but alter the character usage to please the update process (such as P@ssw0rd2K17).

When the guidelines were created in 2003, they were not based on collected data. System administrators would not cough up any passwords for examination, thus Burr turned to a whitepaper published in the 1980s — long before the general American population purchased a modem and jumped onto the world wide web using Netscape or America Online.

Fast forward to 2017, and the National Institute of Standards and Technology provides new guidelines for systems to follow. Authored by technical adviser Paul Grassi, it tosses out much of what Burr established years ago. But Grazzi admits that Burr’s system lasted for 14 years, and hopes that his revised password ruleset lasts just as long. He suggests that systems remove the 90-day password refresh and the requirement for special characters.

Ultimately, the best practice for everyone is to throw out familiar, easily linked ideas, such as the name of your favorite movie or pet. Instead, create a phrase of words that doesn’t make much sense, and does not include spaces. Password managers like LastPass are helpful too when you are required to remember a multitude of unique passwords across dozens of services.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
This Acer Predator gaming PC with RTX 4070 Ti Super is $350 off
The side profile of the Acer Predator Orion 5000 gaming PC.

You should be careful if you're thinking about upgrading with gaming PC deals, as not all machines are worth your hard-earned money. Here's one that we highly recommend: the Acer Predator Orion 5000 at $350 off from Best Buy, which brings its price down to $1,750 from $2,100. It's still not what you'd call affordable after that discount, but this is the type of machine that you will never regret buying. You're going to want to complete your transaction for it as soon as possible though, as there's no telling when the offer expires.

Why you should buy the Acer Predator Orion 5000 gaming PC
The Acer Predator Orion 5000 challenges the best gaming PCs with specifications that will let you play the best PC games at their most demanding settings. It's powered by the 14th-generation Intel Core i7 processor and the Nvidia GeForce RTX 4070 Ti Super graphics card, along with 32GB of RAM that our guide on how much RAM do you need says is the sweet spot for high-end gamers. The gaming desktop also comes with Windows 11 Home pre-loaded in its 2TB SSD, which will provide enough storage space for multiple AAA titles with all their necessary updates and optional add-ons.

Read more
Grab this Lenovo Legion gaming PC while it’s under $1,000
The Lenovo Legion Tower 5i Gen 8 gaming PC on a white background.

You don't need to spend more than $1,000 in upgrading your gaming desktop, as there are gaming PC deals out there with huge discounts on powerful machines. You won't have to do the searching yourself though, as we've done that for you -- check out the Lenovo Legion Tower 5 Gen 8, which is available with a 30% discount from Lenovo that drops its price from $1,330 to only $930. There are only limited stocks for this computer though, so you have to hurry with your purchase if you want to secure the $400 in savings.

Why you should buy the Lenovo Legion Tower 5 Gen 8 gaming PC
The Lenovo Legion Tower 5 Gen 8 is an affordable gaming desktop that's built similar to the Lenovo Legion Tower 5i, which appears in our list of the best gaming PCs as our favorite option for below $1,000. The major difference is that the Lenovo Legion Tower 5 Gen 8 is powered by AMD -- the AMD Ryzen 5 7600 processor, to be exact, alongside the AMD Radeon RX 7600 graphics card and 16GB of RAM that's the best place to start for gaming, according to our guide on how much RAM do you need. With these specifications, you'll be able to play the best PC games on this gaming PC without any issues.

Read more
The RTX 5080 might prove its worth on upcoming gaming laptops
RTX 50 laptop prices.

With only a month to go before Nvidia’s new RTX 50-series equipped laptops go on sale, recent leaks have provided an early look at the performance of the RTX 5080 laptop GPU. According to a 3DMark Time Spy listing on Bilibili, the GPU seemingly offers a notable uplift in synthetic benchmarks compared to its predecessor, the RTX 4080.

The RTX 5080 scored 21,948 points in the 3DMark Time Spy graphics test, surpassing the RTX 4080’s average score of 17,601 points (as pointed out by Notebookcheck)—a 24% performance increase. Considering that the desktop variant of the RTX 5080 is about 10-15% more powerful than the desktop RTX 4080, the laptop variant seems to offer a considerably better uplift. At least, from what the early benchmark suggests. It also puts the RTX 5080 laptop in the same league as the RTX 4090 laptop.

Read more