Why NIST’s Bill Burr shouldn’t regret his 2003 password advice