Security Researcher Changes Password To Something Worse After Reading NIST Guidelines

A cybersecurity researcher who spent twelve years advocating for complex, frequently rotated passwords has changed his own primary password to something measurably worse after reading the latest NIST Special Publication 800-63B guidelines, which recommend against mandatory periodic password changes. Dr. Conrad Salt, 48, who has published seventeen peer-reviewed papers on password entropy and credential hygiene, interpreted the updated guidance as what he described to colleagues as "permission to give up." Salt's previous password, which he maintained for his personal email, was a 24-character string combining uppercase and lowercase letters, numbers, special characters, and two Unicode symbols that required him to switch keyboard layouts mid-entry. He changed it last Tuesday to "Tr0ub4dor&3," a password that appeared as the explicit example of a bad password in a widely circulated XKCD comic in 2011. "NIST said complexity requirements cause more harm than good because users write passwords down or create predictable patterns," Salt explained. "I took that to heart. I've been living in a prison of my own entropy for over a decade. I had to look up the Unicode code points every time I logged into my email. I once locked myself out for three days because I forgot whether the Cyrillic character came before or after the em dash." Salt's colleagues at the National Cryptographic Research Institute have expressed concern. "He went from one extreme to the other," said fellow researcher Dr. Hannah Block. "Yesterday I saw him type his new password in a coffee shop without covering the screen. He used to carry a Faraday bag for his keyboard." Salt has also disabled two-factor authentication on three non-critical accounts, describing the move as "proportional risk management" and "reclaiming minutes of my life that were being consumed by authenticator apps." His wife has noted that he seems happier. His threat model has not commented.