Mind you, it’s not your fault. Security best-practice guidelines going back more than a decade have recommended resetting passwords every 90 days and creating cryptic strings of characters, rather than easy-to-remember words, as the ideal password strategy. 

But according to a report in the Wall Street Journal on Monday, the person responsible for this has had a change of mind.  

“Much of what I did I now regret,” Bill Burr, the 72-year-old author of the annoyingly familiar password rules, told The Wall Street Journal.

Burr’s guidelines — first published in 2003 — suggested that to optimise security, passwords must be reset every 90 days, and contain a mix of an uppercase letter, number, and special character. Most passwords, by necessity, look something like this: Password1!. 

Burr told the Journal that most people make the same, predictable changes — such as switching from a 1 to a 2 — which makes it easy for hackers to guess. 

Now the National Institute of Standards and Technology has set new guidelines. Passwords should be long and easy-to-remember, and only need to be changed when there is sign of a breach. Long pass phrases work better because they can be super long and still easy to memorise.

While Burr’s candor is refreshing — considering all of the frustrating password reset emails he’s inadvertently responsible for — he’s not the first person to discredit the 2003 guidelines.

Last August, the Federal Trade Commission’s chief technologist, Lorrie Cranor, busted the myth, telling a security conference essentially the same thing: periodic changes make passwords less secure. 

Long live the universal password!