IT rules outdated around passwords

All students and faculty at Sam Houston State University can relate to the annoyance of having to recreate a new password every semester for all the various online platforms, such as Blackboard, MySam, and their school email.

Not only are faculty and students required to create an original password every 180 days, but the password must include a capital letter, special character (‘!’, ‘@’, ‘#’, ‘%’, ‘&’, etc.), or number, without being too similar to the previous password.

This set of rules has been the go-to guide for password setting in federal agencies, universities and companies all over the world, thanks to Bill Burr.

In 2003, a midlevel manager at the National Institute of Standards and Technology, Bill Burr, authored the 8-page rule book “NIST Special Publication 800-63. Appendix A”, which illustrates how people should create passwords that successfully protect their online accounts. In this primer, Burr advises to create new passwords frequently, while using awkward words riddled with special characters, capital letters, and numbers. NIST is the federal agency that helps set industrial standards in the U.S.

Making minor changes to previous passwords (i.e. adding an exclamation point to the end of “SH$Ugirl2” and changing it to “SH$Ugirl2!”) is easy to guess and does not protect your information against hackers, according to Burr’s rules.

However, Burr now admits that his advice has proven largely incorrect, and actually makes your accounts more vulnerable to hackers.

“Much of what I did I now regret,” Burr said.

In June, NIST led a 2-year-long rewrite of the Special Publication 800-63, in which the group had to start from scratch.

NIST now advises organizations to drop the password-expiration and special character requirements. Simple and easy-to-remember phrases are now recommended over obscure words made up of special symbols and characters. The primer also advises only updating a password when there is an indication that it may have been stolen.

Computer Security Specialists have confirmed that a series of four words all written together as one word phrases, such as “bearkatgirlorangeblue”, can take up to 500 years to crack since there are several different letters, whereas short phrases following Burr’s rules only take approximately three days to guess.

“What time has shown us is that this publication’s assumption of people choosing the path of least resistance is in fact the case,” information security officer Steven Frey of SHSU IT Security said. “Many passwords that meet these original password crafting rules are actually not strong at all because they are trivial for an algorithm to guess, because people choose simple words and replace certain characters, such as vowels with numbers and end the password with an exclamation mark, such as ‘P4ssW0rd!’. This is mainly because these insecure passwords are actually quite common and password-cracking tools include them in a dictionary to try before attempting to brute force every combination.”

Many cyber-attackers can get user information much simpler by phishing.

“Phishing in its simplest form could be an email from a cyber-attacker on the internet purporting to be IT support and asking you to verify your account by responding with your username and password,” Frey said. “This turns out to be extremely effective.”

Frey advises internet users to:

  • Create strong passwords, and protect them. Passwords should not be easy to guess, and should not include nicknames, social security numbers, birthdays, etc.
  • Passwords should not necessarily be one word, but a phrase made up of a combination of unrelated words.
  • Passwords should not be easily accessible to others (i.e. under a keyboard or left on your desk).
  • Use a password manager such as KeePass or LastPass.
  • Generate different passwords for each online account you use and store them in a password manager.

“Remember, your password is yours only, do not share it with anyone,” Frey said.

For technical assistance you can contact IT@SAM at 936.294.1950, email them at, or get live support at   

There is one comment

Leave a Reply