Burr's original guidelines were published almost 15 years ago, when he worked at the National Institute of Standards and Technology.
In an interview with The Wall Street Journal, Burr said a document he created in 2003 on how to create safe and secure passwords was misinterpreted and it's led to a lot of confusion. The increasingly complicated requirements are enough to make you pull your hair out, and just when you think you've nailed a decent login, you'll probably be forced to change it in a month anyway.
Instead, he recommends using a password management software such as Password Safe (pwsafe.org), which will both generate and store very secure passwords for you. Most passwords, by necessity, look something like this: Password1!.
Then there are the subsequent messages that follow after we inevitably make an entry that the checker does not like: "Your password must be at least eight characters in length and contain at least one of each of the following: capital letter, lower case letter, number, and special character".
In 2003, Bill Burr, a manager at the U.S. National Institute of Standards and Technology, wrote an 8-page paper titled "NIST Special Publication 800-63". According to how Burr recounts it in the article, at the time there wasn't much, if anything, for him to go on.
NIST finalized a rewrite of the password management guidelines in June, reversing numerous recommendations contained in the document he wrote.
As the revised document notes, analyses of exposed passwords, which now number several hundred million in the haveibeenpwned database, show rules around complexity and changing passwords don't produce the benefits they were thought to, yet make using systems awful.
"But there is still traditional advice in other areas of computer security being perpetuated despite us knowing it won't work".
For 20 years, the standard advice for creating a "strong" password that is hard to crack has been to use a mix of letters, numbers and symbols.
A widely shared comic strip (above) by Randall Munroe demonstrates the fallacy of Burr's guidelines. It was the dawn of the true digital era, and we didn't know at the time the dangers we would face online in the coming years.
Such methods are actually vulnerable, especially to brute force cyberattacks which cycle through every conceivable password to get into IT systems.
What's more, the new advice says people shouldn't change their passwords unless informed of a specific threat of a hack.