The man responsible for setting the guidelines for complex passwords says he regrets writing the advice, and acknowledged that it “drives people bananas”.
Bill Burr was not a security expert when he wrote the guidelines for password security for the US National Institute of Standards and Technology in 2003.
His guidelines, which suggested that passwords should be changed every three months and should include different characters, are still followed by many services.
They have resulted in password requirements now demanding upper and lower case letters as well as numbers and punctuation marks.
Speaking to the Wall Street Journal the 72-year-old, who is now retired, said he now regrets “much of what I did”.
He added: “It just drives people bananas and they don’t pick good passwords no matter what you do.”
The UK’s National Cyber Security Centre’s password guidance says that forcing users to change their passwords at regular intervals “imposes burdens on the user and carries no real benefits”.
Mr Burr says the guidelines were “probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”.
He added that regularly changing passwords was mistaken advice, because most people only alter one character of their previous password which does little to stop hackers.
Short passwords with random characters are much quicker for computers to crack than longer passwords or passphrases which are not as randomly composed.