Turns Out Replacing Letters With Numbers And #*&@$ Doesn’t Make Passwords Secure

[Shutterstock - iunewind]

Daily Caller News Foundation logo
Thomas Phippen Associate Editor
Font Size:

Much of the password wisdom of the past few decades doesn’t actually make passwords more secure, according to computer scientists and the man who first developed the guidelines.

Password guidance that the National Institute of Standards and Technology (NIST) released Tuesday scraps several familiar password policies, like the special character requirement and the password expiration advice.

“We ended up starting from scratch” on the new guidelines, Paul Grassi, lead author of the new guidance, told The Wall Street Journal.

The old guidelines, including the character limit, have “actually had a negative impact on usability,” Grassi said.

The past 15 years of conventional password wisdom, pushed by NIST, recommend that websites require users to create passwords including at least one numeral and a special character.

After many high-profile hacks in the government and private sector, however, clearly our password game is weak. The guidelines tech companies have used for security come from a 2003 paper written by Bill Burr, a former manager at NIST.

Burr’s paper suggested that, unless passwords were randomly generated numbers and characters, replacing letters with special characters and numbers would add a degree of randomness. The guidance said that passwords could be common or invented words, filled with odd characters and numbers, and changed frequently.

The problem is that users typically replace letters with numerals or characters that make sense — like replacing an E with a 3 — and computer programs have gotten really good at guessing the accurate password.

“It’s not really random if you and 10,000 other people are doing it,” Cormac Mr. Herley, a principal researcher at Microsoft, told the WSJ.

Burr’s guidelines held for some time as the go-to source for password best-practices, but following those guides doesn’t ensure account security, and passwords are difficult to remember.

“It just drives people bananas and they don’t pick good passwords no matter what you do,” Burr said.

When Burr wrote the password guidelines, he had hoped to rely on large amounts of real-world password data. He asked NIST to allow him to look at the actual passwords on its network, but the administrators refused for privacy reasons. “They were appalled I even asked,” Burr said.

Without access to password data, Burr relied on a 1980s white paper to write the password guidelines. “In the end, [the password guidance] was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree,” Burr said.

A series of normal words in an uncommon order is far more difficult for computers to guess, and is more memorable.

Internet cartoonist Randall Munroe illustrated this issue in a 2016 webcomic. Munroe calculated that a typical password under the old guidance, like “Tr0ub4dor&3,” would take a computer three days to guess. Four words in a strange order, like “correct horse battery staple,” written as one word, would take 550 years to guess, plus be easier to remember than were you to put a zero in the word.

NIST now recommends in new password guidance that users have the ability to type 64 character passwords, with a minimum of eight characters.

Follow Thomas Phippen on Twitter

Send tips to

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact