Skip to Main Content

Password Expert Regrets Past Advice

Changing passwords to often leads to only small alterations of that password.

Changing passwords to often leads to only small alterations of that password.

The author of an influential guide to computer passwords says he now regrets several of the tips he gave.

Bill Burr had advised users to change their password every 90 days and to muddle up words by adding capital letters, numbers and symbols - so, for example, "protected" might become "pr0t3cT3d4!".

The problem, he believes, is that the theory came unstuck in practice. Mr Burr now acknowledges that his 2003 manual was "barking up the wrong tree".

Current guidelines no longer suggest passwords should be frequently changed, because people tend to respond by making only small alterations to their existing passwords - for example, changing "monkey1" into "monkey2"- which are relatively easy to deduce.

Furthermore, it has been demonstrated that it takes longer for computers to crack a random mix of words - such as "pig coffee wandered black" - than it does for them to guess a word with easy-to-remember substitutions - such as "br0k3n!".

Mr Burr's original advice was distributed by the US government's National Institute of Standards and Technology (Nist) . It has since been amended several times, with the most recent edition being released in June.

"The more often you ask someone to change their password, the weaker the passwords they typically choose. Said Prof Alan Woodward.

"And, as we have all now so many online accounts, the situation is compounded so it encourages behaviours such as password reuse across systems."

Britain's National Cyber Security Centre issued its own guidance on the matter in 2015. It recommended that organisations abandoned a policy of pushing their users into regular password resets, and that they should support the use of password managers - programs that securely store hundreds of different logins, avoiding the need to memorise each one.

So whats our advice?

Check out our video below on Passwords:



  • Use three random words as the base of your passwords.
  • You can then change some letters with numb3r5, CAPITALS and punctuat!on to make them even harder for cyber criminals to crack.
  • The longer a password is, the harder it is to crack generally speaking. Try to aim for a minimum of 12 characters.


  • Don’t use personal references e.g. family names, pet names and date of births. All of this information is easily traceable about you on social media.
  • Don’t use a single dictionary word.
  • Avoid using the same password for all accounts. By having unique passwords, if one account does get breached for any reason, all your other accounts should be safe.

Have a look at the rest of our advice on passwords here: Password Advice