It turns out, your online passwords should not actually have at least one capital letter, one number and one symbol - and no, they shouldn't be changed regularly.

Bill Burr, the author of the original eight-page manual from 2003 that went on to become the industry standard for websites, government agencies, universities and other large corporations, has admitted he was wrong, says

"Much of what I did I now regret," the retired 72-year-old, who authored "Special Publication 800-63. Appendix A" while working as a mid-level manager at the US government's National Institute of Standards (NIST), told the Wall Street Journal.

Even the Australian government's myGov website, the centralised platform which links together data from the Australian Taxation Office, Centrelink, Medicare and other services, follows similar requirements.


MyGov passwords must contain at least seven characters and at least one letter and one number, although they do not require capital letters or random characters - but they do have a 20-character limit.

Mr Burr said the original document was written without any real-world password data to lean on, and he was under time pressure to get it done. "In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree," he said.

Over the past decade, companies including MySpace and LinkedIn have had databases containing millions of passwords hacked, providing security researchers with greater insight into user behaviour.

They found that the benefit of "composition rules" was "not nearly as significant as initially thought", while the "impact on usability and memorability is severe", according to the NIST's completely overhauled Special Publication 800-63, released in June.

LinkedIn asked its users to change their passwords in 2012 due to security breaches. Photo / Getty
LinkedIn asked its users to change their passwords in 2012 due to security breaches. Photo / Getty

Mr Burr said his original rule book "just drives people bananas and they don't pick good passwords no matter what you do".

The document now states that password length, not complexity, is actually the "primary factor in characterising password strength", and composition rules should be ditched as they cause users to "respond in very predictable ways".

"For example, a user that might have chosen 'password' as their password would be relatively likely to choose 'Password1' if required to include an upper case letter and a number, or 'Password1!' if a symbol is also required," the guidelines say.

The problem was highlighted in a popular cartoon by Randall Munroe, creator of the XKCD webcomic, who pointed out that a "passphrase" combining four random common words such as "correct horse battery staple" would take 550 years to crack at 1000 guesses per second, compared with just three days for a traditional password like "Tr0b4dor&3".


"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess," Munroe wrote.

The NIST's new standards, which are starting to be adopted by industry, recommend that users should be allowed "at least 64 characters" to support passphrases using any characters they like, including spaces.

"Do not impose other composition rules (mixtures of different character types)," it says.

They also ditch the requirement for passwords to be changed "arbitrarily" at set intervals, because users are likely to change their password in obvious ways - from "Pa55word!1" to "Pa55word!2", for example.

Passwords should only be changed if there's a suspicion they have been stolen.

According to Microsoft researcher Cormac Herley, people spend the equivalent of 1300 years every day typing passwords.

"It's not really random if you and 10,000 other people are doing it," he told the paper.