Now Burr has told the Wall Street Journal he regrets much of his advice.
Mr Burr, author of "NIST Special Publication 800-63". Some of these include regularly changing your password every 90 days and using obscure numbers, characters, capital letters, etc.
But security experts now recommend that users do not change their passwords frequently because remembering them becomes too hard.
The reason changing a password frequently does not help is because when most people make minor tweaks such as replacing the number 1 with a number 2.
Now the National Institute of Standards and Technology has set more modern guidelines which says passwords should be long and easy to remember and should only be changed if you think they have been compromised.
Burr told The Wall Street Journal that his advice has led people astray because those rules were probably too challenging for many to understand and caused people to use passwords that were not too hard to crack. "Because when people are forced to change passwords they don't really know what the new password should be". Sometimes, hackers use powerful computers to target systems and steal massive password files. In what could be a prime case for "too little, too late", Burr now says that he's sorry for putting us all through password hell. On top of the complexity he suggested, he also advised users to change passwords every 90 days. It also recommended a ban on password strength meters, mandatory resets, and predictable combinations. They do this in spite of the long-standing belief that internet passwords need to be complicated amalgamations of letters, numbers, and special characters. This is especially critical, given that almost 20% of passwords used by business professionals for corporate accounts are "easily compromised", according to a report from security firm Preempt.
Rather than a password, you're better off dreaming up a passphrase - even "PasswordIsATerriblePassword" is still a stronger password than "p@ssw0rd1". Hackers are quite adept at latching on to such substitutions, making them easier to crack.
In order to authentic yourself to systems, you are required to enter a password. Not to mention the carelessness of some people, as made evident by the awful passwords that top "most common passwords" lists every year, with gems like "123456" and "password".